CVE-2018-1131
The MITRE CVE dictionary describes this issue as:
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server configurations. A user with authenticated access to the server could send a malicious object to a cache configured to accept certain types of objects, achieving code execution and possible further attacks. Versions 9.0.3.Final, 9.1.7.Final, 8.2.10.Final, 9.2.2.Final, 9.3.0.Alpha1 are believed to be affected.
Find out more about CVE-2018-1131 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v3 metrics
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Data Grid 7.2 | RHSA-2018:1833 | 2018-06-12 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Single Sign-On 7 | infinispan | Affected |
| Red Hat OpenShift Application Runtimes 1.0 | vertx | Affected |
| Red Hat JBoss Operations Network 3 | infinispan | Under investigation |
| Red Hat JBoss Fuse Service Works 6 | infinispan | Affected |
| Red Hat JBoss Fuse 7 | camel | Affected |
| Red Hat JBoss Fuse 6 | camel | Affected |
| Red Hat JBoss EAP 7 | infinispan | Under investigation |
| Red Hat JBoss EAP 6 | infinispan | Under investigation |
| Red Hat JBoss Data Virtualization 6 | infinispan | Affected |
CVE description copyright © 2017, The MITRE Corporation