CVE-2020-25711

CWE-862Missing AuthorizationCWE-269Improper Privilege Management5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.2%
top 59.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Infinispan InfinispanRedhat Data Grid
Timeline
PublishedDec 3
Latest updateFeb 9

Description

A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:HExploitability: 1.2 | Impact: 5.2

Affected Packages4 packages

NVDinfinispan/infinispan< 11.0.6
Mavenorg.infinispan:infinispan-core< 11.0.6.Final
CVEListV5infinispanInfinispan 11.0.6 Final

🔴Vulnerability Details

3
OSV
Improper Access Control in infinispan-server-runtime2022-02-09
GHSA
Improper Access Control in infinispan-server-runtime2022-02-09
CVEList
CVE-2020-25711: A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations2020-12-03

📋Vendor Advisories

1
Red Hat
infinispan: authorization check missing for server management operations2020-11-13
CVE-2020-25711 (MEDIUM CVSS 6.5) | A flaw was found in infinispan 10 R | cvebase.io