Bug 2217924 (CVE-2023-3628) - CVE-2023-3628 infispan: REST bulk ops don't check permissions
Summary: CVE-2023-3628 infispan: REST bulk ops don't check permissions
Keywords:
Status: NEW
Alias: CVE-2023-3628
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2217925
Blocks: 2217923
TreeView+ depends on / blocked
 
Reported: 2023-06-27 13:41 UTC by Dhananjay Arunesh
Modified: 2023-11-06 08:30 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5396 0 None None None 2023-09-28 11:55:41 UTC

Description Dhananjay Arunesh 2023-06-27 13:41:25 UTC 
The REST bulk read endpoints:
/rest/v2/caches/{cacheName}?action=keys
/rest/v2/caches/{cacheName}?action=entries
use the cluster publisher, which is an internal component which doesn't check that the subject has bulk read permissions
The methods require authentication, but once authenticated, any user can invoke them successfully.
Comment 6 errata-xmlrpc 2023-09-28 11:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.4

Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396
Note You need to log in before you can comment on or make changes to this bug.