{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2023-3628","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2023-07-11T20:37:22.734Z","datePublished":"2023-12-18T13:43:07.750Z","dateUpdated":"2025-11-07T10:41:24.777Z"},"containers":{"cna":{"title":"Infispan: rest bulk ops don't check permissions","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"A flaw was found in Infinispan's REST. Bulk read endpoints do not properly evaluate user permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Data Grid 8.4.4","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","defaultStatus":"unaffected","packageName":"infinispan","cpes":["cpe:/a:redhat:jboss_data_grid:8"]},{"vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 6","collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","packageName":"infinispan","defaultStatus":"unknown","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:6"]}],"references":[{"url":"https://access.redhat.com/errata/RHSA-2023:5396","name":"RHSA-2023:5396","tags":["vendor-advisory","x_refsource_REDHAT"]},{"url":"https://access.redhat.com/security/cve/CVE-2023-3628","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217924","name":"RHBZ#2217924","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2023-09-21T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-304","description":"Missing Critical Step in Authentication","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-304: Missing Critical Step in Authentication","timeline":[{"lang":"en","time":"2023-06-22T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2023-09-21T00:00:00.000Z","value":"Made public."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2025-11-07T10:41:24.777Z"}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T07:01:57.380Z"},"title":"CVE Program Container","references":[{"url":"https://access.redhat.com/errata/RHSA-2023:5396","name":"RHSA-2023:5396","tags":["vendor-advisory","x_refsource_REDHAT","x_transferred"]},{"url":"https://access.redhat.com/security/cve/CVE-2023-3628","tags":["vdb-entry","x_refsource_REDHAT","x_transferred"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2217924","name":"RHBZ#2217924","tags":["issue-tracking","x_refsource_REDHAT","x_transferred"]},{"url":"https://security.netapp.com/advisory/ntap-20240125-0004/","tags":["x_transferred"]}]}]}}