{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-3629", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-07-11T20:51:42.907Z", "datePublished": "2023-12-18T13:43:07.770Z", "dateUpdated": "2024-09-16T13:47:43.100Z"}, "containers": {"cna": {"title": "Infinispan: non-admins should not be able to get cache config via rest api", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Data Grid 8.4.4", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected", "packageName": "infinispan", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 6", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "infinispan", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5396", "name": "RHSA-2023:5396", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3629", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926", "name": "RHBZ#2217926", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-09-21T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-304", "description": "Missing Critical Step in Authentication", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-304: Missing Critical Step in Authentication", "timeline": [{"lang": "en", "time": "2023-06-27T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-09-21T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T13:47:43.100Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:01:57.037Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5396", "name": "RHSA-2023:5396", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-3629", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926", "name": "RHBZ#2217926", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240125-0004/", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:data_grid:*:*:*:*:*:*:*:*", "matchCriteriaId": "C6401304-B700-4F69-9385-66B7398C55D8", "versionEndExcluding": "8.4.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:6:*:*:*:*:*:*:*", "matchCriteriaId": "68E89E9D-88CA-4BCC-8871-EF4AF913D871", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:infinispan:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6718434-9048-42D0-8E70-40531CA83A16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en REST de Infinispan: los endpoints de recuperaci\u00f3n de cach\u00e9 no eval\u00faan adecuadamente los permisos de administrador necesarios para la operaci\u00f3n. Este problema podr\u00eda permitir que un usuario autenticado acceda a informaci\u00f3n fuera de sus permisos previstos."}], "id": "CVE-2023-3629", "lastModified": "2024-09-16T14:15:11.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-12-18T14:15:08.557", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5396"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-3629"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-304"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:5396", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "infinispan", "product_name": "Red Hat Data Grid 8.4.4", "release_date": "2023-09-28T00:00:00Z"}], "bugzilla": {"description": "infinispan: Non-admins should not be able to get cache config via REST API", "id": "2217926", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-304", "details": ["A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions."], "name": "CVE-2023-3629", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "infinispan", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}], "public_date": "2023-09-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-3629\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3629"], "threat_severity": "Moderate"}