Bug 1846293 (CVE-2020-10771) - CVE-2020-10771 infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
Summary: CVE-2020-10771 infinispan-server-rest: Actions with effects should not be per...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10771
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1846287
TreeView+ depends on / blocked
 
Reported: 2020-06-11 10:14 UTC by Paramvir jindal
Modified: 2022-04-08 02:16 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.
Clone Of:
Environment:
Last Closed: 2021-05-26 23:32:03 UTC
Embargoed:


Attachments (Terms of Use)

Description Paramvir jindal 2020-06-11 10:14:08 UTC
We shouldn't be using GET request to perform these actions:

GET /rest/v2/server?action=stop
GET /rest/v2/cluster?action=stop
GET /rest/v2/tasks/myTask?action=exec¶m.p1=v1¶m.p2=v2
GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=cancel-push-state
GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=start-push-state
GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=bring-online
GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=take-offline
GET /rest/v2/counters/{counterName}?action=compareAndSet&expect={expect}&update={update}
GET /rest/v2/counters/{counterName}?action=compareAndSwap&expect={expect}&update={update}
GET /rest/v2/counters/{counterName}?action=decrement
GET /rest/v2/counters/{counterName}?action=add&delta={delta}
GET /rest/v2/counters/{counterName}?action=increment
GET /rest/v2/counters/{counterName}?action=reset
GET /v2/caches/{cacheName}/x-site/backups/{siteName}?action=cancel-receive-state

https://issues.redhat.com/browse/JDG-3625

Comment 1 Paramvir jindal 2020-06-11 10:14:19 UTC
Acknowledgments:

Name: Diego Lovison (Red Hat)

Comment 5 errata-xmlrpc 2021-05-26 21:49:54 UTC
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.0

Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139

Comment 6 Product Security DevOps Team 2021-05-26 23:32:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10771


Note You need to log in before you can comment on or make changes to this bug.