CVE-2020-25711
Improper Access Control in infinispan-server-runtime
6.5
MEDIUM
CVSS 3.1
EPSS 0.18%
Description
A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role.
How to fix CVE-2020-25711
To remediate CVE-2020-25711, upgrade the affected package to a fixed version below.
- —upgrade to 11.0.6.Final or later
Is CVE-2020-25711 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 11.0.6.Final
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |