CVE-2023-3628— Infispan: rest bulk ops don't check permissions

CVSS 6.5 · Medium EPSS 0.09% · P25 Updated Feb 26, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-3628

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Infispan: rest bulk ops don't check permissions

Source: NVD (National Vulnerability Database)

Vulnerability Description

A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

认证中关键步骤缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

Red Hat Infinispan 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Red Hat Infinispan是美国红帽（Red Hat）公司的一套分布式缓存和键值NoSQL数据存储软件。 infinispan 存在安全漏洞，该漏洞源于批量读取端点无法正确评估操作的用户权限。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Red Hat	Red Hat Data Grid 8.4.4	-	`cpe:/a:redhat:jboss_data_grid:8`
Red Hat	Red Hat JBoss Enterprise Application Platform 6	-	`cpe:/a:redhat:jboss_enterprise_application_platform:6`

II. Public POCs for CVE-2023-3628

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-3628

Please Login to view more intelligence information

https://access.redhat.com/security/cve/CVE-2023-3628vdb-entryx_refsource_REDHAT
NetApp Product Security
https://bugzilla.redhat.com/show_bug.cgi?id=2217924issue-trackingx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5396vendor-advisoryx_refsource_REDHAT
https://nvd.nist.gov/vuln/detail/CVE-2023-3628

Same Patch Batch · Red Hat · 2023-12-18 · 10 CVEs total

CVE-2023-4320	7.6 HIGH	Satellite: arithmetic overflow in satellite
CVE-2023-5384	7.2 HIGH	Infinispan: credentials returned from configuration as clear text
CVE-2023-5056	6.8 MEDIUM	Skupper-operator: privelege escalation via config map
CVE-2023-5115	6.3 MEDIUM	Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
CVE-2023-6927	4.6 MEDIUM	Keycloak: open redirect via "form_post.jwt" jarm response mode
CVE-2023-5236	4.4 MEDIUM	Infinispan: circular reference on marshalling leads to dos
CVE-2023-3629	4.3 MEDIUM	Infinispan: non-admins should not be able to get cache config via rest api
CVE-2023-6918	3.7 LOW	Libssh: missing checks for return values for digests
CVE-2023-6228	3.3 LOW	Libtiff: heap-based buffer overflow in cpstriptotile() in tools/tiffcp.c

IV. Related Vulnerabilities

Same product: Red Hat Data Grid 8.4.4

Same vendor: Red Hat

Same weakness: CWE-304

V. Comments for CVE-2023-3628

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-3628— Infispan: rest bulk ops don't check permissions

I. Basic Information for CVE-2023-3628

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-3628

III. Intelligence Information for CVE-2023-3628

Same Patch Batch · Red Hat · 2023-12-18 · 10 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-3628

Leave a comment