Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14985

CVE-2023-3628 REST bulk ops don't check permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 14.0.18.Final, 15.0.0.Dev04
    • 15.0.0.Dev01, 14.0.11.Final
    • REST
    • None

      The REST bulk read endpoints:

      /rest/v2/caches/{cacheName}?action=keys
/rest/v2/caches/{cacheName}?action=entries

      use the cluster publisher, which is an internal component which doesn't check that the subject has bulk read permissions

      The methods require authentication, but once authenticated, any user can invoke them successfully.

            ttarrant@redhat.com Tristan Tarrant
            ttarrant@redhat.com Tristan Tarrant
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: