{
  "threat_severity" : "Important",
  "public_date" : "2020-09-03T00:00:00Z",
  "bugzilla" : {
    "description" : "Infinispan: REST and HotRod APIs unsecured locally by default",
    "id" : "1835922",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1835922"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.4",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-862",
  "details" : [ "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.", "A flaw was found in Infinispan (org.infinispan:infinispan-server-runtime) version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server." ],
  "acknowledgement" : "This issue was discovered by Diego Lovison (Red Hat).",
  "affected_release" : [ {
    "product_name" : "Red Hat Data Grid",
    "release_date" : "2020-09-03T00:00:00Z",
    "advisory" : "RHSA-2020:3626",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Affected",
    "package_name" : "infinispan",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-rest",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-rest",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "infinispan-rest",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "infinispan-rest",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "infinispan-rest",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10746\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10746" ],
  "name" : "CVE-2020-10746",
  "csaw" : false
}