A flaw was found in Wildfly-core. A management user of a role could use the resolve-expression in the HAL Interface and hence read a possible sensitive information from Wildfly system. Note this requires a Management from roles "Monitor" and similar users which is expected to be a small set of users and already high level of access. A malicious user could possibly use this accessing the system with this management user and obtain possible sensitive information from the system. By default, there's no sensitive information. Wildfly administrators are highly recommended to use Vault and especially the current Elytron subsystem to store potential critical information as DNS, IPs and credentials.
This issue has been addressed in the following products: EAP 7.4.13 Via RHSA-2023:5488 https://access.redhat.com/errata/RHSA-2023:5488
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2023:5484 https://access.redhat.com/errata/RHSA-2023:5484
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2023:5485 https://access.redhat.com/errata/RHSA-2023:5485
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2023:5486 https://access.redhat.com/errata/RHSA-2023:5486
Marking EAP-8 as not affected because EAP 8 GA was released with the fixed version.