TLS Hostname Validation Missing in Apache Ignite Hot Rod Client (MITM Risk)
CVE-2023-4586 Published on October 4, 2023

Hotrod-client: hot rod client does not enable hostname validation when using tls that lead to a mitm attack
A vulnerability was found in the Hot Rod client. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2023-4586 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.


Products Associated with CVE-2023-4586

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2023-4586 are published in these products:

Netty
 
Red Hat Data Grid
 
Infinispan Hot Rod
 
Red Hat Jboss Data Grid
 

Affected Versions

Red Hat Data Grid 8.4.6:

Exploit Probability

EPSS
0.13%
Percentile
32.58%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.