CVE-2020-25711: Improper Access Control in infinispan-server-runtime
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.40537%
CWE
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.infinispan:infinispan-core | maven | <= 11.0.5.Final | 11.0.6.Final |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing authorization checks in REST API endpoints handling server management operations. Based on the advisory's explicit list of affected operations (server stop, cluster stop, server report, cache ignore list), we identify the corresponding handler methods in Infinispan's REST API implementation. These functions would appear in runtime profiles when unprivileged users execute privileged operations, as they process
requests before the (missing) authorization check would normally occur. The high confidence comes from the exact match between documented vulnerable operations and standard Infinispan REST API implementation patterns.