VDB
KO
HIGH 8.8

GHSA-4hhg-8ghq-vwq6

Infinispan: Deserialization of untrusted data in the Hot Rod Java client via automatic byte-array deserialization

Details

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.infinispan:infinispan-core
Introduced in: 0 Fixed in: 9.1.0.Final
Fix # pom.xml: bump <version>9.1.0.Final</version> for org.infinispan:infinispan-core

References