2242156 – (CVE-2023-5384) CVE-2023-5384 infinispan: Credentials returned from configuration as clear text

Bug 2242156 (CVE-2023-5384) - CVE-2023-5384 infinispan: Credentials returned from configuration as clear text

Summary: CVE-2023-5384 infinispan: Credentials returned from configuration as clear text

Keywords:
Status:	NEW
Alias:	CVE-2023-5384
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2242155
TreeView+	depends on / blocked

Reported:	2023-10-04 16:14 UTC by Patrick Del Bello
Modified:	2023-12-12 09:18 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:7676	0	None	None	None	2023-12-06 19:04:02 UTC

Description Patrick Del Bello 2023-10-04 16:14:45 UTC

When serializing the configuration for a cache to XML/JSON/YAML which contains credentials (JDBC store with connection pooling, Remote store) the credentials are returned in clear text as part of the configuration.

The issue's impact is limited because only users with the ADMIN permission can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the `datasource` configuration which does not expose the database credentials.

Comment 3 errata-xmlrpc 2023-12-06 19:04:01 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 8.4.6

Via RHSA-2023:7676 https://access.redhat.com/errata/RHSA-2023:7676

Note You need to log in before you can comment on or make changes to this bug.