CVE-2023-5384 Infinispan: credentials returned from configuration as clear text

2023-12-1813:43:08

CWE-312

redhat

www.cve.org

cve-2023-5384

infinispan

credentials

configuration

clear text

serialization

cache

xml

json

yaml

jdbc store

connection pooling

remote store

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

AI Score

7.1

Confidence

High

EPSS

0.001

Percentile

21.8%

JSON

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Data Grid 8.4.6",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "defaultStatus": "unaffected",
    "packageName": "infinispan",
    "cpes": [
      "cpe:/a:redhat:jboss_data_grid:8"
    ]
  }
]