Bug 2217926 (CVE-2023-3629) - CVE-2023-3629 infinispan: Non-admins should not be able to get cache config via REST API
Summary: CVE-2023-3629 infinispan: Non-admins should not be able to get cache config v...
Keywords:
Status: NEW
Alias: CVE-2023-3629
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2217927
Blocks: 2217923
TreeView+ depends on / blocked
 
Reported: 2023-06-27 13:45 UTC by Dhananjay Arunesh
Modified: 2023-11-06 08:31 UTC (History)
24 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5396 0 None None None 2023-09-28 11:55:41 UTC

Description Dhananjay Arunesh 2023-06-27 13:45:35 UTC 
The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.
The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).
The methods require authentication, but once authenticated, any user can invoke them successfully.
Comment 6 errata-xmlrpc 2023-09-28 11:55:39 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.4

Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396
Note You need to log in before you can comment on or make changes to this bug.