CVE-2023-4586 - OpenCVE

A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Data Grid
Infinispan	Hot Rod

Configuration 1 [-]

cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:infinispan:hot_rod:-:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:7676
https://access.redhat.com/security/cve/CVE-2023-4586	Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2235564	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-10-04T10:46:15.010Z

Updated: 2024-05-01T20:21:13.519Z

Reserved: 2023-08-29T04:57:10.685Z

Link: CVE-2023-4586

JSON object: View

NVD Information

Status : Modified

Published: 2023-10-04T11:15:10.500

Modified: 2023-12-06T22:15:06.693

Link: CVE-2023-4586

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-4586", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-29T04:57:10.685Z", "datePublished": "2023-10-04T10:46:15.010Z", "dateUpdated": "2024-05-01T20:21:13.519Z"}, "containers": {"cna": {"title": "Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Data Grid 8.4.6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "hotrod-client", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7676", "name": "RHSA-2023:7676", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4586", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564", "name": "RHBZ#2235564", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2023-08-29T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "Improper Input Validation", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-20: Improper Input Validation", "workarounds": [{"lang": "en", "value": "No current mitigation is yet available for this vulnerability"}], "timeline": [{"lang": "en", "time": "2023-08-29T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-08-29T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-01T20:21:13.519Z"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:data_grid:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "3311F2A9-C028-4765-BF79-BC370D15550C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:hot_rod:-:*:*:*:*:*:*:*", "matchCriteriaId": "3B99E1E2-CFB8-4B3A-80FE-32AEF0D1CB5A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en el cliente Hot Rod. Este problema de seguridad ocurre porque el cliente Hot Rod no habilita la validaci\u00f3n del nombre de host cuando usa TLS, lo que posiblemente resulte en un ataque de man-in-the-middle (MITM)."}], "id": "CVE-2023-4586", "lastModified": "2023-12-06T22:15:06.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-10-04T11:15:10.500", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2023:7676"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4586"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2235564"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-295"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-20"}], "source": "secalert@redhat.com", "type": "Secondary"}]}