GHSA-h47x-2j37-fw5m

Suggest an improvement
Source
https://github.com/advisories/GHSA-h47x-2j37-fw5m
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h47x-2j37-fw5m/GHSA-h47x-2j37-fw5m.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h47x-2j37-fw5m
Aliases
Published
2022-05-24T17:01:50Z
Modified
2024-02-20T05:34:46.685094Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Use of Externally-Controlled Input to Select Classes or Code in Infinispan
Details

A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application.

Database specific
{
    "nvd_published_at": "2019-11-25T11:15:00Z",
    "cwe_ids": [
        "CWE-470"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-29T13:25:50Z"
}
References

Affected packages

Maven / org.infinispan:infinispan-core

Package

Name
org.infinispan:infinispan-core
View open source insights on deps.dev
Purl
pkg:maven/org.infinispan/infinispan-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.2.12.Final

Affected versions

5.*

5.0.0.FINAL
5.0.1.FINAL
5.1.0.ALPHA1
5.1.0.ALPHA2
5.1.0.BETA1
5.1.0.BETA2
5.1.0.BETA3
5.1.0.BETA4
5.1.0.BETA5
5.1.0.CR1
5.1.0.CR2
5.1.0.CR3
5.1.0.CR4
5.1.0.FINAL
5.1.1.CR1
5.1.1.FINAL
5.1.2.CR1
5.1.2.FINAL
5.1.3.CR1
5.1.3.FINAL
5.1.4.CR1
5.1.4.FINAL
5.1.5.CR1
5.1.5.FINAL
5.1.6.FINAL
5.1.7.Final
5.1.8.Final
5.2.0.ALPHA1
5.2.0.ALPHA2
5.2.0.Alpha3
5.2.0.Alpha4
5.2.0.Beta1
5.2.0.Beta2
5.2.0.Beta3
5.2.0.Beta4
5.2.0.Beta5
5.2.0.Beta6
5.2.0.CR1
5.2.0.CR2
5.2.0.CR3
5.2.0.Final
5.2.1.Final
5.2.2.Final
5.2.3.Final
5.2.4.Final
5.2.5.Final
5.2.6.Final
5.2.7.Final
5.2.7-wolfc-1
5.2.8.CR1
5.2.8.Final
5.2.9.Final
5.2.10.Final
5.2.11.CR1
5.2.11.Final
5.2.12.Final
5.2.13.Final
5.2.14.Final
5.2.15.Final
5.2.18.Final
5.2.19.Final
5.2.20.Final
5.3.0.Alpha1
5.3.0.Beta1
5.3.0.Beta2
5.3.0.CR1
5.3.0.CR2
5.3.0.Final

6.*

6.0.0.Alpha1
6.0.0.Alpha2
6.0.0.Alpha3
6.0.0.Alpha4
6.0.0.Beta1
6.0.0.Beta2
6.0.0.CR1
6.0.0.Final
6.0.1.Final
6.0.2.Final

7.*

7.0.0.Alpha1
7.0.0.Alpha2
7.0.0.Alpha3
7.0.0.Alpha4
7.0.0.Alpha5
7.0.0.Beta1
7.0.0.Beta2
7.0.0.CR1
7.0.0.CR2
7.0.0.Final
7.0.1.Final
7.0.2.Final
7.0.3.Final
7.1.0.Alpha1
7.1.0.Beta1
7.1.0.CR1
7.1.0.CR2
7.1.0.Final
7.1.1.Final
7.2.0.Alpha1
7.2.0.Beta1
7.2.0.Beta2
7.2.0.CR1
7.2.0.Final
7.2.1.Final
7.2.2.Final
7.2.3.Final
7.2.4.Final
7.2.5.Final

8.*

8.0.0.Alpha1
8.0.0.Alpha2
8.0.0.Beta1
8.0.0.Beta2
8.0.0.Beta3
8.0.0.CR1
8.0.0.Final
8.0.1.Final
8.0.2.Final
8.1.0.Alpha1
8.1.0.Alpha2
8.1.0.Beta1
8.1.0.CR1
8.1.0.Final
8.1.1.Final
8.1.2.Final
8.1.3.Final
8.1.4.Final
8.1.5.Final
8.1.6.Final
8.1.7.Final
8.1.8.Final
8.1.9.Final
8.2.0.Beta1
8.2.0.Beta2
8.2.0.CR1
8.2.0.Final
8.2.1.Final
8.2.2.Final
8.2.3.Final
8.2.4.Final
8.2.5.Final
8.2.6.Final
8.2.7.Final
8.2.8.Final
8.2.10.Final
8.2.11.Final

Database specific

{
    "last_known_affected_version_range": "<= 8.2.11.Final"
}

Maven / org.infinispan:infinispan-core

Package

Name
org.infinispan:infinispan-core
View open source insights on deps.dev
Purl
pkg:maven/org.infinispan/infinispan-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0.Final
Fixed
9.4.17.Final

Affected versions

9.*

9.0.0.Final
9.0.1.Final
9.0.2.Final
9.0.3.Final
9.1.0.Alpha1
9.1.0.Beta1
9.1.0.CR1
9.1.0.Final
9.1.1.Final
9.1.2.Final
9.1.3.Final
9.1.4.Final
9.1.5.Final
9.1.6.Final
9.1.7.Final
9.2.0.Alpha1
9.2.0.Alpha2
9.2.0.Beta1
9.2.0.Beta2
9.2.0.CR1
9.2.0.CR2
9.2.0.CR3
9.2.0.Final
9.2.1.Final
9.2.2.Final
9.2.3.Final
9.2.4.Final
9.2.5.Final
9.3.0.Alpha1
9.3.0.Beta1
9.3.0.CR1
9.3.0.Final
9.3.1.Final
9.3.2.Final
9.3.3.Final
9.3.4.Final
9.3.5.Final
9.3.6.Final
9.3.8.Final
9.3.9.Final
9.4.0.Alpha1
9.4.0.Beta1
9.4.0.CR1
9.4.0.CR2
9.4.0.CR3
9.4.0.Final
9.4.1.Final
9.4.2.Final
9.4.3.Final
9.4.4.Final
9.4.5.Final
9.4.6.Final
9.4.7.Final
9.4.8.Final
9.4.9.Final
9.4.10.Final
9.4.11.Final
9.4.12.Final
9.4.13.Final
9.4.14.Final
9.4.15.Final
9.4.16.Final

Database specific

{
    "last_known_affected_version_range": "<= 9.4.16.Final"
}