The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NInfinispan
APPInfinispan< 9.1.0
Related vulnerabilities
A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixatio...
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contain...
A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class Reflection...
Infinispan permits improper deserialization of trusted data via XML and JSON transcoders under certain server ...
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on in...