GoogleOSV:GHSA-Q2FJ-6H62-59M2Apiman Vert.x Gateway has Transitive Hazelcast connection caching issue
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.2%
Impact
If you are using the Apiman Vert.x Gateway prior to Apiman 3.0.0.Final, a connection caching issue in Hazelcast could allow an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection’s identity.
Hazelcast is a transitive dependency of the Apiman Vert.x Gateway.
The precise risk is difficult to quantify at this juncture as plugins deployed by users may make use of Hazelcast in a different manner to the main Apiman codebase.
If any of your custom Apiman plugins specify Hazelcast dependencies, you should also bump these versions.
Hint: an easy way to track Apiman dependency versions is to use apiman-parent.
If you use the Apiman Tomcat or WildFly Gateway this does not affect you.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact to your Apiman support provider for advice/long-term support.
Workarounds
None (other than doing your own build).
References
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.2%