Redhat Data Grid vulnerabilities

CVE-2026-28368 [HIGH] CWE-444 CVE-2026-28368: A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially cra A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exploited to launch request smuggling attacks, potentially bypassing security controls and accessing unaut

CVE-2026-28369 [HIGH] CWE-444 CVE-2026-28369: A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line sta A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can be exploited by a remote attacker to perform request smuggling. Request smuggling allows an attacker t

CVE-2026-3260 [MEDIUM] CWE-770 CVE-2026-3260: A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like `getParameterMap()`, the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentia

CVE-2025-12543 [CRITICAL] CWE-20 CVE-2025-12543: A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Ja A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perf

CVE-2025-5731 [MEDIUM] CWE-209 CVE-2025-5731: A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes s A flaw was found in Infinispan CLI. A sensitive password, decoded from a Base64-encoded Kubernetes secret, is processed in plaintext and included in a command string that may expose the data in an error message when a command is not found.

CVE-2025-23368 [HIGH] CWE-307 CVE-2025-23368: A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measure A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.

CVE-2024-7885 [HIGH] CWE-362 CVE-2024-7885: A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuil A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. This issue occurs when the parseProxyProtocolV1 method processes multiple requests on the same HTTP connection. As a result, different requests may share the same StringBuilder instance, potentially leading to inform

CVE-2023-3629 [MEDIUM] CWE-304 CVE-2023-3629: A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necess A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

CVE-2023-3628 [MEDIUM] CWE-304 CVE-2023-3628: A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

CVE-2023-5236 [MEDIUM] CVE-2023-5236: A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

CVE-2023-5384 [HIGH] CWE-312 CVE-2023-5384: A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, whi A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

CVE-2023-4586 [HIGH] CWE-20 CVE-2023-4586: A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client do A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

CVE-2021-31917 [CRITICAL] CWE-287 CVE-2021-31917: A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 thro A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0). An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE-2021-3642 [MEDIUM] CWE-203 CVE-2021-3642: A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and pr A flaw was found in Wildfly Elytron in versions prior to 1.10.14.Final, prior to 1.15.5.Final and prior to 1.16.1.Final where ScramServer may be susceptible to Timing Attack if enabled. The highest threat of this vulnerability is confidentiality.

CVE-2020-10771 [HIGH] CWE-352 CVE-2020-10771: A flaw was found in Infinispan version 10, where it is possible to perform various actions that coul A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.

CVE-2021-3536 [MEDIUM] CWE-79 CVE-2021-3536: A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.

CVE-2020-25711 [MEDIUM] CWE-862 CVE-2020-25711: A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while pe A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.

CVE-2020-25644 [HIGH] CWE-401 CVE-2020-25644: A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes a A memory leak flaw was found in WildFly OpenSSL in versions prior to 1.1.3.Final, where it removes an HTTP session. It may allow the attacker to cause OOM leading to a denial of service. The highest threat from this vulnerability is to system availability.

CVE-2019-14838 [MEDIUM] CWE-284 CVE-2019-14838: A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Dep A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server

CVE-2015-7501 [CRITICAL] CWE-502 CVE-2015-7501: Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualiza Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Ha