CVE-2023-3629— Infinispan: non-admins should not be able to get cache config via rest api

CVSS 4.3 · Medium EPSS 0.10% · P28 Updated Feb 26, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-3629

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Infinispan: non-admins should not be able to get cache config via rest api

Source: NVD (National Vulnerability Database)

Vulnerability Description

A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

认证中关键步骤缺失

Source: NVD (National Vulnerability Database)

Vulnerability Title

Red Hat Infinispan 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Red Hat Infinispan是美国红帽（Red Hat）公司的一套分布式缓存和键值NoSQL数据存储软件。 infinispan 存在安全漏洞，该漏洞源于缓存检索端点无法正确评估操作所需的管理员权限。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Red Hat	Red Hat Data Grid 8.4.4	-	`cpe:/a:redhat:jboss_data_grid:8`
Red Hat	Red Hat JBoss Enterprise Application Platform 6	-	`cpe:/a:redhat:jboss_enterprise_application_platform:6`

II. Public POCs for CVE-2023-3629

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-3629

请登录查看更多情报信息。

NetApp Product Security
https://access.redhat.com/security/cve/CVE-2023-3629vdb-entryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2217926issue-trackingx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2023:5396vendor-advisoryx_refsource_REDHAT
https://nvd.nist.gov/vuln/detail/CVE-2023-3629

Same Patch Batch · Red Hat · 2023-12-18 · 10 CVEs total

CVE-2023-4320	7.6 HIGH	Satellite: arithmetic overflow in satellite
CVE-2023-5384	7.2 HIGH	Infinispan: credentials returned from configuration as clear text
CVE-2023-5056	6.8 MEDIUM	Skupper-operator: privelege escalation via config map
CVE-2023-3628	6.5 MEDIUM	Infispan: rest bulk ops don't check permissions
CVE-2023-5115	6.3 MEDIUM	Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
CVE-2023-6927	4.6 MEDIUM	Keycloak: open redirect via "form_post.jwt" jarm response mode
CVE-2023-5236	4.4 MEDIUM	Infinispan: circular reference on marshalling leads to dos
CVE-2023-6918	3.7 LOW	Libssh: missing checks for return values for digests
CVE-2023-6228	3.3 LOW	Libtiff: heap-based buffer overflow in cpstriptotile() in tools/tiffcp.c

IV. Related Vulnerabilities

Same product: Red Hat Data Grid 8.4.4

Same vendor: Red Hat

Same weakness: CWE-304

V. Comments for CVE-2023-3629

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2023-3629— Infinispan: non-admins should not be able to get cache config via rest api

I. Basic Information for CVE-2023-3629

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-3629

III. Intelligence Information for CVE-2023-3629

Same Patch Batch · Red Hat · 2023-12-18 · 10 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2023-3629

Leave a comment