CVE-2018-1131

moderate-risk
Published 2018-05-15

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

Do I need to act?

-
0.53% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (6)

Infinispan
Infinispan
Infinispan
Infinispan
Infinispan

Affected Vendors

Redhat Infinispan

References (8)

Third Party Advisory http://www.securityfocus.com/bid/104218
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1833
https://access.redhat.com/errata/RHSA-2019:3892
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1576492
Third Party Advisory http://www.securityfocus.com/bid/104218
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:1833
https://access.redhat.com/errata/RHSA-2019:3892
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1576492
45
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 2/34 · Minimal
Exposure 13/34 · Low