CVE-2023-5384

CWE-312Cleartext Storage of Sensitive Info5 documents5 sources
Severity
2.7LOW
EPSS
0.5%
top 32.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Data Grid
Timeline
PublishedDec 18
Latest updateDec 28

Description

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages9 packages

Mavenorg.infinispan:infinispan-cachestore-jdbc15.0.0.Dev0115.0.0.Dev07+1
Mavenorg.infinispan:infinispan-cachestore-remote15.0.0.Dev0115.0.0.Dev07+1
Mavenorg.infinispan:infinispan-cachestore-jdbc-common15.0.0.Dev0115.0.0.Dev07+1
Mavenorg.infinispan:infinispan-cachestore-sql15.0.0.Dev0115.0.0.Dev07+1
Mavenorg.infinispan:infinispan-core15.0.0.Dev0115.0.0.Dev07+1

🔴Vulnerability Details

3
GHSA
Infinispan caches credentials in clear text2023-12-28
OSV
Infinispan caches credentials in clear text2023-12-28
CVEList
Infinispan: credentials returned from configuration as clear text2023-12-18

📋Vendor Advisories

1
Red Hat
infinispan: Credentials returned from configuration as clear text2023-12-06