CVE-2016-0750

CWE-138 CWE-502 — Deserialization of Untrusted Data5 documents5 sources

Severity

8.8HIGH

EPSS

0.5%

top 32.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infinispan Infinispan RED HAT Infinispan

Timeline

PublishedSep 11

Latest updateMay 13

Description

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages2 packages

▶NVDinfinispan/infinispan< 9.1.0

▶CVEListV5red_hat/infinispan9.1.0.Final

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-4hhg-8ghq-vwq6: The hotrod java client in infinispan before 9↗2022-05-13

▶

CVEList

CVE-2016-0750: The hotrod java client in infinispan before 9↗2018-09-11

▶

📋Vendor Advisories

Red Hat

client: unchecked deserialization in marshaller util↗2017-11-16

▶

💬Community

Bugzilla

CVE-2016-0750 hotrod client: unchecked deserialization in marshaller util↗2016-01-20

▶