Miggo Logo

CVE-2020-25711: Improper Access Control in infinispan-server-runtime

6.5

CVSS Score
3.1

Basic Information

EPSS Score
0.40537%
Published
2/9/2022
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.infinispan:infinispan-coremaven<= 11.0.5.Final11.0.6.Final

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing authorization checks in REST API endpoints handling server management operations. Based on the advisory's explicit list of affected operations (server stop, cluster stop, server report, cache ignore list), we identify the corresponding handler methods in Infinispan's REST API implementation. These functions would appear in runtime profiles when unprivileged users execute privileged operations, as they process requests before the (missing) authorization check would normally occur. The high confidence comes from the exact match between documented vulnerable operations and standard Infinispan REST API implementation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in in*inisp*n ** R*ST *PI, w**r* *ut*oriz*tion p*rmissions *r* not ****k** w*il* p*r*ormin* som* s*rv*r m*n***m*nt op*r*tions. W**n *ut*z is *n**l**, *ny us*r wit* *ut**nti**tion **n p*r*orm op*r*tions lik* s*uttin* *own t** s*rv*r w

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in R*ST *PI *n*points **n*lin* s*rv*r m*n***m*nt op*r*tions. **s** on t** **visory's *xpli*it list o* *****t** op*r*tions (s*rv*r stop, *lust*r stop, s*rv*r r*port, ***** i*nor* list), w* i**n