Описание
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
Отчет
Red Hat has evaluated this issue and the attacker must be authenticated as a user that belongs to the "Monitor" or "Auditor" management groups. It requires previous privileges to jeopardize an environment.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Build of Keycloak | org.wildfly.core/wildfly-server | Not affected | ||
| Red Hat Data Grid 8 | org.wildfly.core/wildfly-server | Will not fix | ||
| Red Hat Fuse 7 | org.wildfly.core/wildfly-server | Out of support scope | ||
| Red Hat JBoss Data Grid 7 | org.wildfly.core/wildfly-server | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform Expansion Pack | org.wildfly.core/wildfly-server | Not affected | ||
| Red Hat Process Automation 7 | org.wildfly.core/wildfly-server | Out of support scope | ||
| Red Hat Single Sign-On 7 | org.wildfly.core/wildfly-server | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 7 | org.wildfly.core/wildfly-server | Fixed | RHSA-2025:3467 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-netty | Fixed | RHSA-2025:3465 | 01.04.2025 |
| Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 | eap7-netty-transport-native-epoll | Fixed | RHSA-2025:3465 | 01.04.2025 |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
A flaw was found in the Wildfly Server Role Based Access Control (RBAC ...
6.5 Medium
CVSS3