CVE-2023-3628 — Infinispan REST Server's bulk read endpoints do not properly evaluate user permi

Description

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

How to fix CVE-2023-3628

To remediate CVE-2023-3628, upgrade the affected package to a fixed version below.

—upgrade to 15.0.0.Dev04 or later

Is CVE-2023-3628 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 15.0.0.Dev01, < 15.0.0.Dev04

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-3628
PATCHgithub.com/infinispan/infinispan
WEBaccess.redhat.com/errata/RHSA-2023:5396
WEBaccess.redhat.com/security/cve/CVE-2023-3628
WEBbugzilla.redhat.com