CVE-2024-6875 identifies a vulnerability in the Infinispan component of Red Hat Data Grid, specifically within the REST compare API. The issue arises from a missing release of memory after its effective lifetime, leading to a buffer leak. When an attacker sends continual POST requests containing large payloads to the REST API, the system fails to free allocated memory properly, causing memory consumption to grow uncontrollably. This results in out-of-memory errors that can degrade or crash the service, effectively causing a denial-of-service (DoS) condition. The vulnerability has a CVSS 3.1 base score of 6.5, indicating a medium severity level. The vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) shows that the attack can be performed remotely over the network with low privileges, requires no user interaction, and impacts only availability without compromising confidentiality or integrity. No known exploits have been reported in the wild, and no patches or mitigations have been explicitly linked yet. The vulnerability affects all versions indicated as '0' in the data, which likely means the initial or unspecified versions of the component. This memory leak vulnerability can be exploited by an attacker to disrupt services relying on Red Hat Data Grid, especially those exposing the REST compare API to untrusted networks or users.

The primary impact of CVE-2024-6875 is on the availability of systems running Red Hat Data Grid with the vulnerable Infinispan REST compare API. Successful exploitation leads to memory exhaustion, causing service degradation or crashes, resulting in denial-of-service conditions. This can disrupt business-critical applications relying on Red Hat Data Grid for caching or data grid services, potentially affecting application performance and uptime. Since the vulnerability does not affect confidentiality or integrity, data breaches or unauthorized data modification are not direct concerns. However, service outages can impact operational continuity, customer experience, and potentially lead to financial losses or reputational damage. Organizations with high transaction volumes or those exposing the REST API to external or untrusted networks are at increased risk. The requirement for low privileges means that even less-privileged users or compromised internal accounts could trigger the issue, expanding the threat surface. Given the lack of known exploits, the immediate risk is moderate, but the potential for DoS attacks warrants proactive mitigation.

To mitigate CVE-2024-6875, organizations should first monitor Red Hat and Infinispan advisories for official patches or updates addressing the memory leak. Until patches are available, implement strict rate limiting on the REST compare API to prevent continuous large POST requests from overwhelming the system. Enforce maximum payload size restrictions on incoming POST data to reduce memory consumption risks. Employ network-level controls such as firewall rules or API gateways to restrict access to the REST API to trusted users and networks only. Regularly monitor system memory usage and set up alerts for unusual spikes that may indicate exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious request patterns targeting the REST API. Review and tighten user privileges to ensure only necessary accounts have access to the REST API, minimizing the potential for low-privilege exploitation. Finally, conduct thorough testing of the environment to identify any abnormal behavior related to memory usage under load.