CVE-2021-31917

CWE-287Improper Authentication4 documents4 sources
Severity
9.8CRITICAL
EPSS
0.4%
top 37.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Infinispan Infinispan-server-restRedhat Data Grid
Timeline
PublishedSep 21
Latest updateMay 24

Description

A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

CVEListV5red_hat_datagrid_and_infinispanRed Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0)
NVDinfinispan/infinispan-server-rest10.0.011.0.12+1
NVDredhat/data_grid4 versions+3

🔴Vulnerability Details

2
GHSA
GHSA-gwqg-r7f7-jjw4: A flaw was found in Red Hat DataGrid 82022-05-24
CVEList
CVE-2021-31917: A flaw was found in Red Hat DataGrid 82021-09-21

📋Vendor Advisories

1
Red Hat
Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism2021-05-26
CVE-2021-31917 (CRITICAL CVSS 9.8) | A flaw was found in Red Hat DataGri | cvebase.io