Bug 1929479 (CVE-2021-20250)
| Summary: | CVE-2021-20250 wildfly: Information disclosure due to publicly accessible privileged actions in JBoss EJB Client | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kunjan Rathod <krathod> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, drieden, eleandro, etirelli, fjuma, ggaughan, gmalinko, gvarsami, ibek, iweiss, janstey, jcoleman, jochrist, jpallich, jperkins, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, lthon, mnovotny, msochure, msvehla, mszynkie, nwallace, pdrozd, pgallagh, pjindal, pmackay, rguimara, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, sdaley, smaestri, spinder, sthorger, tcunning, theute, tkirby, tom.jenkinson, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | jboss-ejb-client 4.0.39 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deployed on. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-16 19:20:07 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1927289, 1929559 | ||
|
Description
Kunjan Rathod
2021-02-17 02:45:02 UTC
Affects 4.0.38, fixed in 4.0.39 via https://github.com/wildfly/jboss-ejb-client/pull/503. This vulnerability is out of security support scope for the following product: * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2021:0885 https://access.redhat.com/errata/RHSA-2021:0885 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:0873 https://access.redhat.com/errata/RHSA-2021:0873 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:0874 https://access.redhat.com/errata/RHSA-2021:0874 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:0872 https://access.redhat.com/errata/RHSA-2021:0872 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20250 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.6 Via RHSA-2021:0974 https://access.redhat.com/errata/RHSA-2021:0974 This issue has been addressed in the following products: Red Hat EAP-XP via EAP 7.3.x base Via RHSA-2021:2210 https://access.redhat.com/errata/RHSA-2021:2210 This issue has been addressed in the following products: Red Hat EAP-XP 2.0.0 via EAP 7.3.x base Via RHSA-2021:2755 https://access.redhat.com/errata/RHSA-2021:2755 |