{
  "threat_severity" : "Moderate",
  "public_date" : "2017-04-19T00:00:00Z",
  "bugzilla" : {
    "description" : "infinispan: auth bypass in REST api",
    "id" : "1428564",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1428564"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-306",
  "details" : [ "It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.", "It was found that the REST API in infinispan did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name." ],
  "acknowledgement" : "This issue was discovered by Jonathan Mason (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Data Grid 7.1",
    "release_date" : "2017-04-19T00:00:00Z",
    "advisory" : "RHSA-2017:1097",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7.1"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Affected",
    "package_name" : "rest",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-2638\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-2638" ],
  "name" : "CVE-2017-2638",
  "csaw" : false
}