CVE-2020-10746

Published: Oct 19, 2020Modified: Nov 21, 2024

6.1

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Exploitability: 1.8 / Impact: 4.2

Source: NVD

Description

A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.

Affected (1)

Products: Infinispan: Infinispan Server Runtime

1 product

Infinispan Server Runtime

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Infinispan Infinispan Server Runtime	Version 10.0.0

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://bugzilla.redhat.com/show_bug.cgi?id=1835922

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=1835922

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingThird Party Advisory

Timeline

No history available yet.