Bug 2337620 (CVE-2025-23367)
| Summary: | CVE-2025-23367 org.wildfly.core:wildfly-server: Wildfly improper RBAC permission | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, ecerquei, fjuma, gmalinko, ibek, istudens, ivassile, iweiss, janstey, jkoops, jrokos, kverlaen, lgao, mnovotny, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, pesilva, pjindal, pmackay, pskopek, rguimara, rmartinc, rowaters, rstancel, rstepani, security-response-team, smaestri, sthorger, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server.
The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Deadline: | 2025-03-03 | ||
|
Description
OSIDB Bzimport
2025-01-14 15:30:59 UTC
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2025:3467 https://access.redhat.com/errata/RHSA-2025:3467 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2025:3465 https://access.redhat.com/errata/RHSA-2025:3465 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8 Via RHSA-2025:3989 https://access.redhat.com/errata/RHSA-2025:3989 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9 Via RHSA-2025:3990 https://access.redhat.com/errata/RHSA-2025:3990 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2025:3992 https://access.redhat.com/errata/RHSA-2025:3992 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2025:4552 https://access.redhat.com/errata/RHSA-2025:4552 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2025:4550 https://access.redhat.com/errata/RHSA-2025:4550 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2025:4548 https://access.redhat.com/errata/RHSA-2025:4548 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2025:4549 https://access.redhat.com/errata/RHSA-2025:4549 |