Please patch CVEs for package infinispan version 8.2.9 INFO (CVEs are): infinispan 8.2.9 cves found CVE-2016-0750 Desc: The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks. Link: https://nvd.nist.gov/vuln/detail/CVE-2016-0750 Severity: HIGH CVE-2017-2638 Desc: It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name. Link: https://nvd.nist.gov/vuln/detail/CVE-2017-2638 Severity: MEDIUM CVE-2019-10174 Desc: A vulnerability was found in Infinispan such that the invokeAccessibly method from the public class ReflectionUtil allows any application class to invoke private methods in any class with Infinispan's privileges. The attacker can use reflection to introduce new, malicious behavior into the application. Link: https://nvd.nist.gov/vuln/detail/CVE-2019-10174 Severity: HIGH CVE-2020-25711 Desc: A flaw was found in infinispan 10 REST API, where authorization permissions are not checked while performing some server management operations. When authz is enabled, any user with authentication can perform operations like shutting down the server without the ADMIN role. Link: https://nvd.nist.gov/vuln/detail/CVE-2020-25711 Severity: MEDIUM
*** This bug has been marked as a duplicate of bug 13864 ***