What is CVE-2017-2638?

CVE-2017-2638 is a medium-severity vulnerability in Infinispan, classified under Missing Authentication for Critical Function. CVSS score: 6.5/10. Published 2018-07-16.

How severe is CVE-2017-2638?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Auth bypass in Infinispan

CVE-2017-2638

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Vulnerability class: Broken Authentication

EPSS: 0.016 (72.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Infinispan
[Unknown] Infinispan — versions Infinispan 9.0.0.Final
Redhat Jboss_data_grid — versions 7.1

Weakness classification (CWE)

References

secalert@redhat.com (x_refsource_CONFIRM, Patch, Third Party Advisory, Issue Tracking)
secalert@redhat.com (x_refsource_REDHAT, vendor-advisory, Third Party Advisory)
secalert@redhat.com (x_refsource_CONFIRM, Third Party Advisory)
secalert@redhat.com (x_refsource_CONFIRM, Patch, Third Party Advisory)
secalert@redhat.com (VDB Entry, Third Party Advisory, vdb-entry, x_refsource_BID)

Frequently asked questions

What is CVE-2017-2638?: CVE-2017-2638 is a medium-severity vulnerability in Infinispan, classified under Missing Authentication for Critical Function. CVSS score: 6.5/10. Published 2018-07-16.
How severe is CVE-2017-2638?: Medium severity. CVSS v3 base score is 6.5 out of 10.