Headline

CVE-2020-10771: Actions with effects should not be permitted via GET requests using REST API

A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.

3 years ago

CVE

Open in Source

#csrf #vulnerability #linux #red_hat

Bug 1846293 (CVE-2020-10771) - CVE-2020-10771 infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API

Summary: CVE-2020-10771 infinispan-server-rest: Actions with effects should not be per…

Keywords:

Status:

CLOSED ERRATA

Alias:

CVE-2020-10771

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

—

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Depends On:

Blocks:

1846287

TreeView+

depends on / blocked

Reported:

2020-06-11 10:14 UTC by Paramvir jindal

Modified:

2021-11-24 05:00 UTC (History)

CC List:

45 users (show)

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.

Clone Of:

Environment:

Last Closed:

2021-05-26 23:32:03 UTC

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

Description Paramvir jindal 2020-06-11 10:14:08 UTC

We shouldn’t be using GET request to perform these actions:

GET /rest/v2/server?action=stop GET /rest/v2/cluster?action=stop GET /rest/v2/tasks/myTask?action=exec¶m.p1=v1¶m.p2=v2 GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=cancel-push-state GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=start-push-state GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=bring-online GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=take-offline GET /rest/v2/counters/{counterName}?action=compareAndSet&expect={expect}&update={update} GET /rest/v2/counters/{counterName}?action=compareAndSwap&expect={expect}&update={update} GET /rest/v2/counters/{counterName}?action=decrement GET /rest/v2/counters/{counterName}?action=add&delta={delta} GET /rest/v2/counters/{counterName}?action=increment GET /rest/v2/counters/{counterName}?action=reset GET /v2/caches/{cacheName}/x-site/backups/{siteName}?action=cancel-receive-state

https://issues.redhat.com/browse/JDG-3625

Comment 1 Paramvir jindal 2020-06-11 10:14:19 UTC

Acknowledgments:

Name: Diego Lovison (Red Hat)

Comment 5 errata-xmlrpc 2021-05-26 21:49:54 UTC

This issue has been addressed in the following products:

Red Hat Data Grid 8.2.0

Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139

Comment 6 Product Security DevOps Team 2021-05-26 23:32:03 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10771

Note You need to log in before you can comment on or make changes to this bug.