CVE-2020-10746 - OpenCVE

A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Complete

AV:L/AC:L/Au:N/C:N/I:P/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Infinispan	Infinispan-server-runtime
Redhat	Jboss Data Grid

Configuration 1 [-]

cpe:2.3:a:infinispan:infinispan-server-runtime:10.0.0:-:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Data Grid
	cpe:/a:redhat:jboss_data_grid:8	RHSA-2020:3626	2020-09-03T00:00:00Z

References

Link	Providers
https://bugzilla.redhat.com/show_bug.cgi?id=1835922
https://nvd.nist.gov/vuln/detail/CVE-2020-10746
https://www.cve.org/CVERecord?id=CVE-2020-10746

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2020-10-19T20:42:17

Updated: 2024-08-04T11:14:14.720Z

Reserved: 2020-03-20T00:00:00

Link: CVE-2020-10746

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-19T21:15:12.437

Modified: 2021-10-26T20:13:51.907

Link: CVE-2020-10746

Redhat

Severity : Important

Publid Date: 2020-09-03T00:00:00Z

Links: CVE-2020-10746 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Infinispan", "vendor": "n/a", "versions": [{"status": "affected", "version": "Infinispan 11.0.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "CWE-862", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-05-04T19:04:18", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-10746", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Infinispan", "version": {"version_data": [{"version_value": "Infinispan 11.0.0"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-862"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:14:14.720Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-10746", "datePublished": "2020-10-19T20:42:17", "dateReserved": "2020-03-20T00:00:00", "dateUpdated": "2024-08-04T11:14:14.720Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:infinispan-server-runtime:10.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "F60FD899-0E1F-4E4C-9BCD-D7639B9E04AE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la versi\u00f3n 10 de Infinispan (org.infinispan:infinispan-server-runtime), que permite el acceso local a los controles a trav\u00e9s de las API REST y HotRod. Este fallo permite a un usuario autentificado en la m\u00e1quina local realizar todas las operaciones en las cach\u00e9s, incluyendo la creaci\u00f3n, actualizaci\u00f3n, eliminaci\u00f3n y apagado de todo el servidor"}], "id": "CVE-2020-10746", "lastModified": "2021-10-26T20:13:51.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 5.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 7.8, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-19T21:15:12.437", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-862"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "This issue was discovered by Diego Lovison (Red Hat).", "affected_release": [{"advisory": "RHSA-2020:3626", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "product_name": "Red Hat Data Grid", "release_date": "2020-09-03T00:00:00Z"}], "bugzilla": {"description": "Infinispan: REST and HotRod APIs unsecured locally by default", "id": "1835922", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.4", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-862", "details": ["A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.", "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server."], "name": "CVE-2020-10746", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Affected", "package_name": "infinispan", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "infinispan-rest", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "infinispan-rest", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "infinispan-rest", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "infinispan-rest", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "infinispan-rest", "product_name": "Red Hat JBoss Fuse Service Works 6"}], "public_date": "2020-09-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10746\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10746"], "threat_severity": "Important", "upstream_fix": "Infinispan 11.0.0"}