CVE-2023-3628: Infinispan REST Server's bulk read endpoints do not properly evaluate user permissions

December 30, 2023 (updated November 18, 2024)

A flaw was found in Infinispan’s REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

References

access.redhat.com/errata/RHSA-2023:5396
access.redhat.com/security/cve/CVE-2023-3628
bugzilla.redhat.com/show_bug.cgi?id=2217924
github.com/advisories/GHSA-fhr7-8jx4-r9cp
github.com/infinispan/infinispan
github.com/infinispan/infinispan/commit/70a50352d9195753a588d0fba8c2063b99f96263
github.com/infinispan/infinispan/commit/b34488dcab8bdd4258972568b8405ee7111276ec
nvd.nist.gov/vuln/detail/CVE-2023-3628
security.netapp.com/advisory/ntap-20240125-0004

Code Behaviors & Features

Detect and mitigate CVE-2023-3628 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →