2217926 – (CVE-2023-3629) CVE-2023-3629 infinispan: Non-admins should not be able to get cache config via REST API

Bug 2217926 (CVE-2023-3629) - CVE-2023-3629 infinispan: Non-admins should not be able to get cache config via REST API

Summary: CVE-2023-3629 infinispan: Non-admins should not be able to get cache config v...

Keywords:
Status:	NEW
Alias:	CVE-2023-3629
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2217927
Blocks:	2217923
TreeView+	depends on / blocked

Reported:	2023-06-27 13:45 UTC by Dhananjay Arunesh
Modified:	2023-11-06 08:31 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:5396	0	None	None	None	2023-09-28 11:55:41 UTC

Description Dhananjay Arunesh 2023-06-27 13:45:35 UTC

The REST endpoint to retrieve cache configurations doesn't check for ADMIN permissions:
GET /rest/v2/caches/{cacheName}?action=config
GET /rest/v2/caches
The cache configuration may contain information about filesystem paths and allowed security roles which should not be viewable by non-administrators.
The first method should return a 403 in case the user doesn't have appropriate permissions.
The second method should omit the full cache configuration from the response (it returns other, non-security sensitive information).
The methods require authentication, but once authenticated, any user can invoke them successfully.

Comment 6 errata-xmlrpc 2023-09-28 11:55:39 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.4

Via RHSA-2023:5396 https://access.redhat.com/errata/RHSA-2023:5396

Note You need to log in before you can comment on or make changes to this bug.

asoldano
bbaranow
bmaxwell
brian.stansberry
cdewolf
chazlett
darran.lofthouse
dkreling
dosoudil
fjuma
ivassile
iweiss
lgao
mosmerov
msochure
mstefank
msvehla
nwallace
pjindal
pmackay
rstancel
security-response-team
smaestri
tom.jenkinson