Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-4061

Опубликовано: 05 окт. 2023
Источник: redhat
CVSS3: 6.5

Описание

A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.

Отчет

This vulnerability requires a malicious user to previously have access to the system, especially access to the HAL interface via browser and logged with a management user who have access to the resolve-expression method, hence the moderate impact.

Меры по смягчению последствий

Wildfly administrators are recommended to use Vault, especially the Elytron subsystem, to store potential critical information such as DNS, IPs, and credentials.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat JBoss Enterprise Application Platform 8wildfly-coreNot affected
EAP 7.4.13wildfly-coreFixedRHSA-2023:548805.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-wildflyFixedRHSA-2023:548506.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8eap7-wildfly-elytronFixedRHSA-2023:548506.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-wildflyFixedRHSA-2023:548606.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9eap7-wildfly-elytronFixedRHSA-2023:548606.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-wildflyFixedRHSA-2023:548405.10.2023
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7eap7-wildfly-elytronFixedRHSA-2023:548405.10.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2228608wildfly-core: Management User RBAC permission allows unexpected reading of system-properties to an Unauthorized actor

6.5 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-4061

CVSS3: 6.5
nvd
около 2 лет назад

A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.

github логотип

GHSA-26qx-4m49-6cfr

CVSS3: 6.5
github
около 2 лет назад

wildfly-core Exposure of Sensitive Information to an Unauthorized Actor vulnerability

6.5 Medium

CVSS3