Vulnerability Details : CVE-2017-2638
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Vulnerability category: BypassGain privilege
Products affected by CVE-2017-2638
- cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2017-2638
0.32%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-2638
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:P/A:N |
10.0
|
4.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
3.9
|
2.5
|
Red Hat, Inc. |
CWE ids for CVE-2017-2638
-
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.Assigned by: nvd@nist.gov (Primary)
-
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-2638
-
http://rhn.redhat.com/errata/RHSA-2017-1097.html
RHSA-2017:1097 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/97964
infinispan CVE-2017-2638 Authentication Bypass VulnerabilityThird Party Advisory;VDB Entry
-
https://issues.jboss.org/browse/ISPN-7485
[ISPN-7485] Restore authentication functionality on the REST connector - JBoss Issue TrackerThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638
1428564 – (CVE-2017-2638) CVE-2017-2638 infinispan: auth bypass in REST apiIssue Tracking;Patch;Third Party Advisory
-
https://github.com/infinispan/infinispan/pull/4936/commits
ISPN-7485 Restore REST authentication by tristantarrant · Pull Request #4936 · infinispan/infinispan · GitHubPatch;Third Party Advisory
Jump to