CVE-2017-2638

moderate-risk

Published 2018-07-16

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Do I need to act?

0.50% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Infinispan

Jboss Data Grid

Affected Vendors

Redhat Infinispan

References (10)

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-1097.html

Third Party Advisory http://www.securityfocus.com/bid/97964

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638

Patch https://github.com/infinispan/infinispan/pull/4936/commits

Third Party Advisory https://issues.jboss.org/browse/ISPN-7485

Third Party Advisory http://rhn.redhat.com/errata/RHSA-2017-1097.html

Third Party Advisory http://www.securityfocus.com/bid/97964

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638

Patch https://github.com/infinispan/infinispan/pull/4936/commits

Third Party Advisory https://issues.jboss.org/browse/ISPN-7485

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 2/34 · Minimal

Exposure 7/34 · Low