CVE-2018-1131

CWE-349 CWE-502 — Deserialization of Untrusted Data7 documents7 sources

Severity

8.8HIGH

EPSS

0.5%

top 32.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED Hat, Inc. Infinispan Infinispan Infinispan Redhat Jboss Data Grid

Timeline

PublishedMay 15

Latest updateMay 13

Description

Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

▶Mavenorg.infinispan:infinispan-core9.3.0.Alpha1 — 9.3.1.Final

▶NVDinfinispan/infinispan5 versions+4

▶NVDredhat/jboss_data_grid7.2

▶CVEListV5red_hat,_inc./infinispan5 versions+4

🔴Vulnerability Details

OSV

Deserialization of Untrusted Data in Infinispan↗2022-05-13

▶

GHSA

Deserialization of Untrusted Data in Infinispan↗2022-05-13

▶

CVEList

CVE-2018-1131: Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations↗2018-05-15

▶

💥Exploits & PoCs

Exploit-DB

Microsoft SQL Server Management Studio 17.9 - '.xel' XML External Entity Injection↗2018-10-11

▶

📋Vendor Advisories

Red Hat

infinispan: deserialization of data in XML and JSON transcoders↗2018-05-14

▶

💬Community

Bugzilla

CVE-2018-1131 infinispan: deserialization of data in XML and JSON transcoders↗2018-05-09

▶