Description
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Remediation
References
https://github.com/infinispan/infinispan/pull/5639
https://access.redhat.com/errata/RHSA-2018:0294
http://www.securitytracker.com/id/1040360
https://access.redhat.com/errata/RHSA-2018:0481
https://access.redhat.com/errata/RHSA-2018:0480
https://access.redhat.com/errata/RHSA-2018:0479
https://access.redhat.com/errata/RHSA-2018:0478
https://access.redhat.com/errata/RHSA-2018:0501
https://access.redhat.com/errata/RHSA-2019:1326
Related Vulnerabilities
CVE-2022-24441 Vulnerability in npm package snyk
CVE-2021-35513 Vulnerability in npm package mermaid
CVE-2020-11022 Vulnerability in maven package org.fujion.webjars:jquery
CVE-2019-10754 Vulnerability in maven package org.apereo.cas:cas-server-support-simple-mfa
CVE-2020-15084 Vulnerability in maven package org.webjars.npm:express-jwt