CVE-2023-5236 - Vulnerability Details

A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.001.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Infinispan	Infinispan
Redhat	Camel Quarkus Camel Spring Boot Data Grid Debezium Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Quarkus Red Hat Single Sign On

Configuration 1 [-]

cpe:2.3:a:redhat:data_grid:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*

Configuration 3 [-]

cpe:2.3:a:infinispan:infinispan:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Data Grid 8.4.4
	cpe:/a:redhat:jboss_data_grid:8	RHSA-2023:5396	2023-09-28T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-3094	A flaw was found in Infinispan, which does not detect circular object references when unmarshalling. An authenticated attacker with sufficient permissions could insert a maliciously constructed object into the cache and use it to cause out of memory errors and achieve a denial of service.
Github GHSA	GHSA-488m-w9fp-5mm2	Infinispan circular object references causes out of memory errors

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:5396
https://access.redhat.com/security/cve/CVE-2023-5236
https://bugzilla.redhat.com/show_bug.cgi?id=2240999
https://nvd.nist.gov/vuln/detail/CVE-2023-5236
https://security.netapp.com/advisory/ntap-20240125-0004/
https://www.cve.org/CVERecord?id=CVE-2023-5236

History

Fri, 07 Nov 2025 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat camel Quarkus Redhat camel Spring Boot Redhat debezium Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat quarkus Redhat red Hat Single Sign On
CPEs		cpe:/a:redhat:camel_quarkus:3 cpe:/a:redhat:camel_spring_boot:4 cpe:/a:redhat:debezium:2 cpe:/a:redhat:debezium:3 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_enterprise_bpms_platform:7 cpe:/a:redhat:jboss_fuse:7 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:quarkus:3 cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products		Redhat camel Quarkus Redhat camel Spring Boot Redhat debezium Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat quarkus Redhat red Hat Single Sign On

Sat, 23 Nov 2024 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-12-18T13:43:08.445Z

Updated: 2025-11-07T20:40:11.748Z

Reserved: 2023-09-27T16:33:11.279Z

Link: CVE-2023-5236

Vulnrichment

Updated: 2024-08-02T07:52:08.546Z

NVD

Status : Modified

Published: 2023-12-18T14:15:10.917

Modified: 2025-09-25T09:15:29.453

Link: CVE-2023-5236

Redhat

Severity : Low

Publid Date: 2023-09-27T00:00:00Z

Links: CVE-2023-5236 - Bugzilla

OpenCVE Enrichment

No data.

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object