Permissions, Privileges, and Access Controls in Wildfly Core

#VU81930 Permissions, Privileges, and Access Controls in Wildfly Core

Published: 2023-10-11

Vulnerability identifier: #VU81930

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4061

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Wildfly Core
Server applications / Application servers

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to improper privilege management in the RBAC implementation. A remote user can use the resolve-expression in the HAL interface to read system properties from the Wildfly system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Wildfly Core: 10.0.0 - 21.1.1

External links
http://github.com/wildfly/wildfly-core/releases/tag/22.0.0.Final
http://bugzilla.redhat.com/show_bug.cgi?id=2228608

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 9

Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 7

Multiple vulnerabilities in JBoss Enterprise Application Platform 7.4 for RHEL 8

Multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform

Multiple vulnerabilities in Wildfly Core