CVE-2020-25711: 
Java vulnerability analysis and mitigation

A flaw was discovered in the Infinispan 10 REST API (CVE-2020-25711) where authorization permissions were not properly checked during server management operations. The vulnerability was reported on September 16, 2020, affecting Infinispan versions up to 11.0.6 and Red Hat Data Grid 8.0. When authorization is enabled, any authenticated user could perform privileged operations like shutting down the server without having the required ADMIN role (Red Hat Bugzilla, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H. The flaw specifically affects the org.infinispan:infinispan-server-runtime artifact. The affected operations include server stop, cluster stop, server report, and cache ignore list manipulation (Red Hat Bugzilla).

Successful exploitation of this vulnerability could lead to unauthorized addition or modification of data and potential Denial of Service (DoS). When authorization is enabled, any authenticated user could perform privileged server management operations without having the required administrative permissions (NetApp Advisory).

The vulnerability was addressed in Infinispan version 11.0.6 Final. Red Hat released security updates for affected products, including Red Hat Data Grid 8.1.1 through RHSA-2021:0433. No temporary workarounds were available for this vulnerability (Red Hat Bugzilla, Red Hat Advisory).