CVE-2017-15089

CWE-502 — Deserialization of Untrusted Data6 documents6 sources

Severity

8.8HIGH

EPSS

1.8%

top 17.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Infinispan Infinispan

Timeline

PublishedFeb 15

Latest updateMay 14

Description

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.infinispan:infinispan-core< 9.2.0.CR1

▶NVDinfinispan/infinispan9.1.6+1

▶CVEListV5infinispan/infinispanbefore 9.2.0.CR1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Deserialization of Untrusted Data in Infinispan↗2022-05-14

▶

GHSA

Deserialization of Untrusted Data in Infinispan↗2022-05-14

▶

CVEList

CVE-2017-15089: It was found that the Hotrod client in Infinispan before 9↗2018-02-15

▶

📋Vendor Advisories

Red Hat

infinispan: Unsafe deserialization of malicious object injected into data cache↗2018-02-12

▶

💬Community

Bugzilla

CVE-2017-15089 infinispan: Unsafe deserialization of malicious object injected into data cache↗2017-10-18

▶