{
  "threat_severity" : "Moderate",
  "public_date" : "2023-09-21T00:00:00Z",
  "bugzilla" : {
    "description" : "infinispan: Non-admins should not be able to get cache config via REST API",
    "id" : "2217926",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2217926"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-304",
  "details" : [ "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions.", "A flaw was found in Infinispan's REST, Cache retrieval endpoints do not properly evaluate the necessary admin permissions for the operation. This issue could allow an authenticated user to access information outside of their intended permissions." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Data Grid 8.4.4",
    "release_date" : "2023-09-28T00:00:00Z",
    "advisory" : "RHSA-2023:5396",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8",
    "package" : "infinispan"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Out of support scope",
    "package_name" : "infinispan",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-3629\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-3629" ],
  "name" : "CVE-2023-3629",
  "csaw" : false
}