CVE-2023-5384 - OpenCVE

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Data Grid Jboss Data Grid
Infinispan	Infinispan

Configuration 1 [-]

cpe:2.3:a:redhat:data_grid:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*

Configuration 3 [-]

cpe:2.3:a:infinispan:infinispan:-:*:*:*:*:*:*:*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2023:7676	Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-5384	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2242156	Issue Tracking
https://security.netapp.com/advisory/ntap-20240125-0004/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2023-12-18T13:43:08.728Z

Updated: 2024-06-04T17:28:38.094Z

Reserved: 2023-10-04T16:12:42.727Z

Link: CVE-2023-5384

JSON object: View

NVD Information

Status : Modified

Published: 2023-12-18T14:15:11.360

Modified: 2024-01-25T14:15:26.733

Link: CVE-2023-5384

JSON object: View

Redhat Information

No data.

CWE

CWE-312

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5384", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-04T16:12:42.727Z", "datePublished": "2023-12-18T13:43:08.728Z", "dateUpdated": "2024-06-04T17:28:38.094Z"}, "containers": {"cna": {"title": "Infinispan: credentials returned from configuration as clear text", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Data Grid 8.4.6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "infinispan", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:7676", "name": "RHSA-2023:7676", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5384", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242156", "name": "RHBZ#2242156", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://security.netapp.com/advisory/ntap-20240125-0004/"}], "datePublic": "2023-12-06T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "description": "Cleartext Storage of Sensitive Information", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-312: Cleartext Storage of Sensitive Information", "workarounds": [{"lang": "en", "value": "The issue's impact is limited because only users with administrator permissions can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the `datasource` configuration, which does not expose the database credentials."}], "timeline": [{"lang": "en", "time": "2023-10-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-12-06T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-01T20:21:25.506Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-05-02T15:07:03.611901Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:28:38.094Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:data_grid:*:*:*:*:*:*:*:*", "matchCriteriaId": "069956BE-8A4A-418E-8913-90BB53FC6A23", "versionEndExcluding": "8.4.6", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_data_grid:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "2BF03A52-4068-47EA-8846-1E5FB708CE1A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:infinispan:infinispan:-:*:*:*:*:*:*:*", "matchCriteriaId": "F6718434-9048-42D0-8E70-40531CA83A16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Infinispan. Al serializar la configuraci\u00f3n de una cach\u00e9 en XML/JSON/YAML, que contiene credenciales (almac\u00e9n JDBC con agrupaci\u00f3n de conexiones, almac\u00e9n remoto), las credenciales se devuelven en texto plano como parte de la configuraci\u00f3n."}], "id": "CVE-2023-5384", "lastModified": "2024-01-25T14:15:26.733", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-12-18T14:15:11.360", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:7676"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5384"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2242156"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20240125-0004/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-312"}], "source": "secalert@redhat.com", "type": "Secondary"}]}