A flaw was found in Infinispan. When serializing the configuration for a cache to XML/JSON/YAML, which contains credentials (JDBC store with connection pooling, remote store), the credentials are returned in clear text as part of the configuration.
CVE-2023-5384
This high-severity CVE scores 7.2 under NVD CVSS v3. EPSS exploit probability: 0.5%, top 32% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
- Lower severity and no public exploit yet
A fix is available — apply it.
- CVSS v3
- 2.7
- EG Score
- 7.2(medium)
- EPSS
- 41.7%
- KEV
- Not listed
Published
December 18, 2023
Last Modified
June 17, 2026
References (7)
- secalert@redhathttps://access.redhat.com/errata/RHSA-2023:7676
- secalert@redhathttps://access.redhat.com/security/cve/CVE-2023-5384
- secalert@redhathttps://bugzilla.redhat.com/show_bug.cgi?id=2242156
- af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7676
- af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-5384
- af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2242156
- af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240125-0004/
Patch Availability(1)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | infinispan | 2023-12-06 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(8 across 1 ecosystem)
Maven(8)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.infinispan:infinispan-cachestore-jdbc | 10.0.0.Alpha1 ... 9.4.9.Final (367 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-cachestore-jdbc-common | 13.0.0.CR1 ... 14.0.9.Final (57 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-cachestore-remote | 10.0.0.Alpha1 ... 9.4.9.Final (367 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-cachestore-sql | 13.0.0.CR1 ... 14.0.9.Final (57 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-client-hotrod | 10.0.0.Alpha1 ... 9.4.9.Final (367 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-commons | 10.0.0.Alpha1 ... 9.4.9.Final (302 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-core | 10.0.0.Alpha1 ... 9.4.9.Final (368 versions) | 14.0.25.Final | — |
| org.infinispan:infinispan-hotrod | 14.0.0.CR1 ... 14.0.9.Final (29 versions) | 14.0.25.Final | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(1)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
Frequently asked(5)
What is CVE-2023-5384?
When was CVE-2023-5384 disclosed?
Is CVE-2023-5384 actively exploited?
What is the CVSS score of CVE-2023-5384?
How do I remediate CVE-2023-5384?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-5384
Is Your Infrastructure Affected by CVE-2023-5384?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.