Uploaded image for project: 'Infinispan'
  1. Infinispan
  2. ISPN-14985

CVE-2023-3628 REST bulk ops don't check permissions

This issue belongs to an archived project. You can view it, but you can't modify it. Learn more

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 14.0.18.Final, 15.0.0.Final
    • 14.0.11.Final, 15.0.0.Final
    • REST
    • None

      The REST bulk read endpoints:

      /rest/v2/caches/{cacheName}?action=keys
/rest/v2/caches/{cacheName}?action=entries

      use the cluster publisher, which is an internal component which doesn't check that the subject has bulk read permissions

      The methods require authentication, but once authenticated, any user can invoke them successfully.

              ttarrant@redhat.com Tristan Tarrant
              ttarrant@redhat.com Tristan Tarrant
              Archiver:
              rhn-support-adongare Amol Dongare

                Created:
                Updated:
                Resolved:
                Archived: