CVE-2017-15089

Aliases:GHSA-46r5-59fg-2fjc

Advisory lineage Upstream: 0 Downstream: 3

Downstream

RHSA-2018:0479 RHSA-2018:0480 RHSA-2018:0481

Modified

Published: 15 Feb 2018, 17:00

Last modified:16 Sept 2024, 19:05

Vulnerability Summary

Overall Risk (default)

medium

36/100

CVSS Score

8.8 HIGH

v3.0 (nvd)

EPSS Score

1.84% LOW

2% probability -2.07%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

15 Feb 2018, 17:00

Published

Vulnerability first disclosed

16 Sept 2024, 19:05

Last Modified

Vulnerability information updated

Description

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

CVSS Metrics

v3.0•HIGH•Score: 8.8CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 1.84%• Percentile: 83%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

infinispan•infinispan
≤ 9.1.6 | 9.2.0:alpha1 | 9.2.0:alpha2 | 9.2.0:beta1 | 9.2.0:beta2 | 9.2.0:cr1 | < 9.2.0.CR1
org.infinispan•infinispan-core
< 9.2.0.CR1