Headline
CVE-2020-10771: Actions with effects should not be permitted via GET requests using REST API
A flaw was found in Infinispan version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a cross-site request forgery (CSRF) attack.
Bug 1846293 (CVE-2020-10771) - CVE-2020-10771 infinispan-server-rest: Actions with effects should not be permitted via GET requests using REST API
Summary: CVE-2020-10771 infinispan-server-rest: Actions with effects should not be per…
Keywords:
Status:
CLOSED ERRATA
Alias:
CVE-2020-10771
Product:
Security Response
Classification:
Other
Component:
vulnerability
Sub Component:
Version:
unspecified
Hardware:
All
OS:
Linux
Priority:
medium
Severity:
medium
Target Milestone:
—
Assignee:
Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
1846287
TreeView+
depends on / blocked
Reported:
2020-06-11 10:14 UTC by Paramvir jindal
Modified:
2021-11-24 05:00 UTC (History)
CC List:
45 users (show)
Fixed In Version:
Doc Type:
If docs needed, set a value
Doc Text:
A flaw was found in infinispan-server-rest version 10, where it is possible to perform various actions that could have side effects using GET requests. This flaw allows an attacker to perform a Cross-site request forgery (CSRF) attack.
Clone Of:
Environment:
Last Closed:
2021-05-26 23:32:03 UTC
Attachments
(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)
Description Paramvir jindal 2020-06-11 10:14:08 UTC
We shouldn’t be using GET request to perform these actions:
GET /rest/v2/server?action=stop GET /rest/v2/cluster?action=stop GET /rest/v2/tasks/myTask?action=exec¶m.p1=v1¶m.p2=v2 GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=cancel-push-state GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=start-push-state GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=bring-online GET /rest/v2/cache-managers/{cacheManagerName}/x-site/backups/{siteName}?action=take-offline GET /rest/v2/counters/{counterName}?action=compareAndSet&expect={expect}&update={update} GET /rest/v2/counters/{counterName}?action=compareAndSwap&expect={expect}&update={update} GET /rest/v2/counters/{counterName}?action=decrement GET /rest/v2/counters/{counterName}?action=add&delta={delta} GET /rest/v2/counters/{counterName}?action=increment GET /rest/v2/counters/{counterName}?action=reset GET /v2/caches/{cacheName}/x-site/backups/{siteName}?action=cancel-receive-state
https://issues.redhat.com/browse/JDG-3625
Comment 1 Paramvir jindal 2020-06-11 10:14:19 UTC
Acknowledgments:
Name: Diego Lovison (Red Hat)
Comment 5 errata-xmlrpc 2021-05-26 21:49:54 UTC
This issue has been addressed in the following products:
Red Hat Data Grid 8.2.0
Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139
Comment 6 Product Security DevOps Team 2021-05-26 23:32:03 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-10771
Note You need to log in before you can comment on or make changes to this bug.