Some server management operations don't check authorization permissions so, when authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. The following ops are affected: * server stop * cluster stop * server report * cache ignore list manipulation This vulnerability affects the org.infinispan:infinispan-server-runtime artifact for all versions up to 11.0.5.Final. https://issues.redhat.com/browse/JDG-4194
Acknowledgments: Name: Tristan Tarrant (Red Hat)
Mitigation: There is currently no known mitigation for this issue.
This issue has been addressed in the following products: Red Hat Data Grid 8.1.1 Via RHSA-2021:0433 https://access.redhat.com/errata/RHSA-2021:0433
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25711