{"api_version":"1","generated_at":"2026-04-23T02:34:02+00:00","cve":"CVE-2017-2638","urls":{"html":"https://cve.report/CVE-2017-2638","api":"https://cve.report/api/cve/CVE-2017-2638.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2017-2638","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2017-2638"},"summary":{"title":"CVE-2017-2638","description":"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2018-07-16 13:29:00","updated_at":"2019-10-09 23:27:00"},"problem_types":["CWE-287"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2017-1097.html","name":"RHSA-2017:1097","refsource":"REDHAT","tags":["Third Party Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://github.com/infinispan/infinispan/pull/4936/commits","name":"https://github.com/infinispan/infinispan/pull/4936/commits","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"ISPN-7485 Restore REST authentication by tristantarrant · Pull Request #4936 · infinispan/infinispan · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1428564 – (CVE-2017-2638) CVE-2017-2638 infinispan: auth bypass in REST api","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/97964","name":"97964","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"infinispan CVE-2017-2638 Authentication Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://issues.jboss.org/browse/ISPN-7485","name":"https://issues.jboss.org/browse/ISPN-7485","refsource":"CONFIRM","tags":["Third Party Advisory"],"title":"[ISPN-7485] Restore authentication functionality on the REST connector - JBoss Issue Tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2017-2638","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2017-2638","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2017","cve_id":"2638","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"infinispan","cpe5":"infinispan","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"2638","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"infinispan","cpe5":"infinispan","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"2638","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_data_grid","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2017","cve_id":"2638","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_data_grid","cpe6":"7.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2017-2638","qid":"994823","title":"Java (Maven) Security Update for org.infinispan:infinispan-server-core (GHSA-mvxp-3j62-jqr6)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"secalert@redhat.com","ID":"CVE-2017-2638","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"infinispan","version":{"version_data":[{"version_value":"Infinispan 9.0.0.Final"}]}}]},"vendor_name":"[UNKNOWN]"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name."}]},"impact":{"cvss":[[{"vectorString":"6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","version":"3.0"}]]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-306"}]}]},"references":{"reference_data":[{"name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638","refsource":"CONFIRM","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2638"},{"name":"RHSA-2017:1097","refsource":"REDHAT","url":"http://rhn.redhat.com/errata/RHSA-2017-1097.html"},{"name":"https://issues.jboss.org/browse/ISPN-7485","refsource":"CONFIRM","url":"https://issues.jboss.org/browse/ISPN-7485"},{"name":"https://github.com/infinispan/infinispan/pull/4936/commits","refsource":"CONFIRM","url":"https://github.com/infinispan/infinispan/pull/4936/commits"},{"name":"97964","refsource":"BID","url":"http://www.securityfocus.com/bid/97964"}]}},"nvd":{"publishedDate":"2018-07-16 13:29:00","lastModifiedDate":"2019-10-09 23:27:00","problem_types":["CWE-287"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:infinispan:infinispan:*:*:*:*:*:*:*:*","versionEndExcluding":"9.0.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_data_grid:7.1:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2017","CveId":"2638","Ordinal":"98777","Title":"CVE-2017-2638","CVE":"CVE-2017-2638","Year":"2017"},"notes":[{"CveYear":"2017","CveId":"2638","Ordinal":"1","NoteData":"It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.","Type":"Description","Title":null},{"CveYear":"2017","CveId":"2638","Ordinal":"2","NoteData":"2018-07-16","Type":"Other","Title":"Published"},{"CveYear":"2017","CveId":"2638","Ordinal":"3","NoteData":"2018-07-17","Type":"Other","Title":"Modified"}]}}}