CVE-2017-15089: Deserialization of Untrusted Data
(updated )
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
References
- access.redhat.com/errata/RHSA-2018:0294
- access.redhat.com/errata/RHSA-2018:0478
- access.redhat.com/errata/RHSA-2018:0479
- access.redhat.com/errata/RHSA-2018:0480
- access.redhat.com/errata/RHSA-2018:0481
- access.redhat.com/errata/RHSA-2018:0501
- access.redhat.com/errata/RHSA-2019:1326
- github.com/advisories/GHSA-46r5-59fg-2fjc
- github.com/infinispan/infinispan/pull/5639
- nvd.nist.gov/vuln/detail/CVE-2017-15089
Detect and mitigate CVE-2017-15089 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →