Vulnerabilities > CVE-2018-1131 - Deserialization of Untrusted Data vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
infinispan
redhat
CWE-502
NVD
Published: 2018-05-15
Updated: 2019-10-09

Summary

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

Vulnerable Configurations

Part Description Count
Application
Infinispan
5
Application
Redhat
1

Common Weakness Enumeration (CWE)

Redhat

advisories
  • rhsa
    idRHSA-2018:1833
  • rhsa
    idRHSA-2019:3892

References