CVE-2020-10771 – CVE-2020-10771 is a CSRF vulnerability in Infin... (How to Fix)

Q: What is the severity of CVE-2020-10771?

CVE-2020-10771 has a CVSS score of 7.1 (HIGH). CVE-2020-10771 is a CSRF vulnerability in Infinispan 10 that allows attackers to perform unauthorized actions via GET requests. This affects systems running vulnerable Infinispan versions, potentially enabling data manipulation or service disruption. Organizations using Infinispan for caching or data grid functionality are at risk.

📋 TL;DR

CVE-2020-10771 is a CSRF vulnerability in Infinispan 10 that allows attackers to perform unauthorized actions via GET requests. This affects systems running vulnerable Infinispan versions, potentially enabling data manipulation or service disruption. Organizations using Infinispan for caching or data grid functionality are at risk.

💻 Affected Systems

Products:

Infinispan

Versions: Version 10.x (specifically 10.1.x)

Operating Systems: All operating systems running Infinispan

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Infinispan REST endpoints that accept GET requests for state-changing operations. Requires attacker to trick authenticated user into visiting malicious page.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Infinispan-managed data, including data corruption, unauthorized modifications, or service disruption affecting dependent applications.

🟠

Likely Case

Unauthorized data manipulation or configuration changes within Infinispan, potentially affecting application performance or data integrity.

🟢

If Mitigated

Limited impact with proper CSRF protections, network segmentation, and access controls in place.

🌐 Internet-Facing: HIGH - If Infinispan management interfaces are exposed to the internet, attackers can easily exploit this CSRF vulnerability.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated to Infinispan and visit a malicious webpage. Standard CSRF attack vectors apply.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Infinispan 10.1.8.Final and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1846293

Restart Required: Yes

Instructions:

1. Upgrade Infinispan to version 10.1.8.Final or later. 2. Stop Infinispan service. 3. Replace Infinispan JAR files with patched version. 4. Restart Infinispan service. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable GET for state-changing operations

all

Configure Infinispan to reject GET requests for operations that modify state

Modify Infinispan configuration to enforce POST/PUT/DELETE for state-changing operations

Implement CSRF tokens

all

Add CSRF protection to Infinispan REST endpoints

Configure web application firewall or reverse proxy to inject CSRF tokens

🧯 If You Can't Patch

Implement strict network segmentation to isolate Infinispan from untrusted networks
Deploy web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check Infinispan version: if running 10.1.x before 10.1.8, system is vulnerable. Test if GET requests can perform state-changing operations via REST API.

Check Version:

java -jar infinispan-server.jar --version

Verify Fix Applied:

Verify Infinispan version is 10.1.8.Final or later. Test that GET requests to state-changing endpoints now return appropriate error codes.

📡 Detection & Monitoring

Log Indicators:

Multiple GET requests to state-changing endpoints from same source
Unexpected 200 OK responses to GET requests that should require POST

Network Indicators:

GET requests with parameters that typically require POST/PUT
Cross-origin requests to Infinispan REST endpoints

SIEM Query:

source="infinispan" AND (method="GET" AND (uri="/rest/*" OR uri="/api/*") AND status=200)

📊 Metadata

CVE ID: CVE-2020-10771

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

CWE: CWE-352

Published: June 2, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1846293 Issue Tracking,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0003/ Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1846293 Issue Tracking,Third Party Advisory
https://security.netapp.com/advisory/ntap-20210827-0003/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-10771, you might also want to check these: