{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4586", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-29T04:57:10.685Z", "datePublished": "2023-10-04T10:46:15.010Z", "dateUpdated": "2024-09-16T16:01:00.692Z"}, "containers": {"cna": {"title": "Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Data Grid 8.4.6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "hotrod-client", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7676", "name": "RHSA-2023:7676", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4586", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564", "name": "RHBZ#2235564", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-08-29T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-20: Improper Input Validation", "workarounds": [{"lang": "en", "value": "No current mitigation is yet available for this vulnerability"}], "timeline": [{"lang": "en", "time": "2023-08-29T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-08-29T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T16:01:00.692Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:31:06.434Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7676", "name": "RHSA-2023:7676", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4586", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564", "name": "RHBZ#2235564", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "3311F2A9-C028-4765-BF79-BC370D15550C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:hot_rod:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B99E1E2-CFB8-4B3A-80FE-32AEF0D1CB5A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el cliente Hot Rod. Este problema de seguridad ocurre porque el cliente Hot Rod no habilita la validaci\u00f3n del nombre de host cuando usa TLS, lo que posiblemente resulte en un ataque de man-in-the-middle (MITM)."}], "id": "CVE-2023-4586", "lastModified": "2023-12-06T22:15:06.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-10-04T11:15:10.500", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7676"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4586"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7676", "cpe": "cpe:/a:redhat:jboss_data_grid:8", "package": "hotrod-client", "product_name": "Red Hat Data Grid 8.4.6", "release_date": "2023-12-06T00:00:00Z"}], "bugzilla": {"description": "hotrod-client: Hot Rod client does not enable hostname validation when using TLS that lead to a MITM attack", "id": "2235564", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.", "A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack."], "mitigation": {"lang": "en:us", "value": "No current mitigation is yet available for this vulnerability"}, "name": "CVE-2023-4586", "public_date": "2023-08-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4586\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4586"], "threat_severity": "Moderate"}