{
  "threat_severity" : "Important",
  "public_date" : "2023-12-06T00:00:00Z",
  "bugzilla" : {
    "description" : "infinispan: Credentials returned from configuration as clear text",
    "id" : "2242156",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2242156"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-312",
  "details" : [ "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.", "A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration." ],
  "statement" : "Red Hat evaluated this vulnerability and this only affects Infinispan's server component, so Red Hat JBoss Enterprise Application Platform (EAP) and other tools that may run infinispan is not affected.",
  "affected_release" : [ {
    "product_name" : "Red Hat Data Grid 8.4.6",
    "release_date" : "2023-12-06T00:00:00Z",
    "advisory" : "RHSA-2023:7676",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8",
    "package" : "infinispan"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5384\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5384" ],
  "name" : "CVE-2023-5384",
  "mitigation" : {
    "value" : "The issue's impact is limited because only users with administrator permissions can retrieve the cache configurations, and the recommended approach for connecting via JDBC is using the `datasource` configuration, which does not expose the database credentials.",
    "lang" : "en:us"
  },
  "csaw" : false
}