Skip to content

Infinispan caches credentials in clear text

Low severity GitHub Reviewed Published Dec 28, 2023 to the GitHub Advisory Database • Updated Sep 16, 2024

Package

maven org.infinispan:infinispan-cachestore-jdbc (Maven)

Affected versions

>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final

Patched versions

15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-cachestore-jdbc-common (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-cachestore-remote (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-cachestore-sql (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-client-hotrod (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-commons (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-core (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final
maven org.infinispan:infinispan-hotrod (Maven)
>= 15.0.0.Dev01, < 15.0.0.Dev07
< 14.0.25.Final
15.0.0.Dev07
14.0.25.Final

Description

A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.

References

Published by the National Vulnerability Database Dec 18, 2023
Published to the GitHub Advisory Database Dec 28, 2023
Reviewed Sep 16, 2024
Last updated Sep 16, 2024

Severity

Low

EPSS score

0.053%
(23rd percentile)

Weaknesses

CVE ID

CVE-2023-5384

GHSA ID

GHSA-gg57-587f-h5v6

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.