CVE-2023-5384
7.2
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-312: Cleartext Storage of Sensitive Information
Workarounds
The issue's impact is limited because only users with administrator permissions can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the datasource configuration, which does not expose the database credentials.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2023:7676
- https://access.redhat.com/security/cve/CVE-2023-5384
- https://bugzilla.redhat.com/show_bug.cgi?id=2242156
- https://security.netapp.com/advisory/ntap-20240125-0004/
References
- https://access.redhat.com/errata/RHSA-2023:7676
- https://access.redhat.com/security/cve/CVE-2023-5384
- https://bugzilla.redhat.com/show_bug.cgi?id=2242156
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.