CVE-2021-20250: Infoleak
First published: Wed Feb 17 2021(Updated: )
A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deployed on. The highest threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-activemq-artemis | <0:2.9.0-9.redhat_00019.1.el6ea | 0:2.9.0-9.redhat_00019.1.el6ea |
| redhat/eap7-bouncycastle | <0:1.68.0-1.redhat_00001.1.el6ea | 0:1.68.0-1.redhat_00001.1.el6ea |
| redhat/eap7-guava-failureaccess | <0:1.0.1-1.redhat_00002.1.el6ea | 0:1.0.1-1.redhat_00002.1.el6ea |
| redhat/eap7-guava-libraries | <0:30.1.0-1.redhat_00001.1.el6ea | 0:30.1.0-1.redhat_00001.1.el6ea |
| redhat/eap7-hal-console | <0:3.2.13-1.Final_redhat_00001.1.el6ea | 0:3.2.13-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.4.27-1.Final_redhat_00001.1.el6ea | 0:1.4.27-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.39-1.SP1_redhat_00001.1.el6ea | 0:4.0.39-1.SP1_redhat_00001.1.el6ea |
| redhat/eap7-jboss-logmanager | <0:2.1.18-1.Final_redhat_00001.1.el6ea | 0:2.1.18-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-remoting | <0:5.0.20-2.SP1_redhat_00001.1.el6ea | 0:5.0.20-2.SP1_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-5.Final_redhat_00006.1.el6ea | 0:1.7.2-5.Final_redhat_00006.1.el6ea |
| redhat/eap7-narayana | <0:5.9.11-1.Final_redhat_00001.1.el6ea | 0:5.9.11-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-undertow | <0:2.0.34-1.SP1_redhat_00001.1.el6ea | 0:2.0.34-1.SP1_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.6-1.GA_redhat_00002.1.el6ea | 0:7.3.6-1.GA_redhat_00002.1.el6ea |
| redhat/eap7-wildfly-elytron | <0:1.10.11-1.Final_redhat_00001.1.el6ea | 0:1.10.11-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.25-1.Final_redhat_00001.1.el6ea | 0:1.0.25-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-naming-client | <0:1.0.14-1.Final_redhat_00001.1.el6ea | 0:1.0.14-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-activemq-artemis | <0:2.9.0-9.redhat_00019.1.el7ea | 0:2.9.0-9.redhat_00019.1.el7ea |
| redhat/eap7-bouncycastle | <0:1.68.0-1.redhat_00001.1.el7ea | 0:1.68.0-1.redhat_00001.1.el7ea |
| redhat/eap7-guava-failureaccess | <0:1.0.1-1.redhat_00002.1.el7ea | 0:1.0.1-1.redhat_00002.1.el7ea |
| redhat/eap7-guava-libraries | <0:30.1.0-1.redhat_00001.1.el7ea | 0:30.1.0-1.redhat_00001.1.el7ea |
| redhat/eap7-hal-console | <0:3.2.13-1.Final_redhat_00001.1.el7ea | 0:3.2.13-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.4.27-1.Final_redhat_00001.1.el7ea | 0:1.4.27-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.39-1.SP1_redhat_00001.1.el7ea | 0:4.0.39-1.SP1_redhat_00001.1.el7ea |
| redhat/eap7-jboss-logmanager | <0:2.1.18-1.Final_redhat_00001.1.el7ea | 0:2.1.18-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-remoting | <0:5.0.20-2.SP1_redhat_00001.1.el7ea | 0:5.0.20-2.SP1_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-5.Final_redhat_00006.1.el7ea | 0:1.7.2-5.Final_redhat_00006.1.el7ea |
| redhat/eap7-narayana | <0:5.9.11-1.Final_redhat_00001.1.el7ea | 0:5.9.11-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-undertow | <0:2.0.34-1.SP1_redhat_00001.1.el7ea | 0:2.0.34-1.SP1_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.6-1.GA_redhat_00002.1.el7ea | 0:7.3.6-1.GA_redhat_00002.1.el7ea |
| redhat/eap7-wildfly-elytron | <0:1.10.11-1.Final_redhat_00001.1.el7ea | 0:1.10.11-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.25-1.Final_redhat_00001.1.el7ea | 0:1.0.25-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-naming-client | <0:1.0.14-1.Final_redhat_00001.1.el7ea | 0:1.0.14-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-activemq-artemis | <0:2.9.0-9.redhat_00019.1.el8ea | 0:2.9.0-9.redhat_00019.1.el8ea |
| redhat/eap7-bouncycastle | <0:1.68.0-1.redhat_00001.1.el8ea | 0:1.68.0-1.redhat_00001.1.el8ea |
| redhat/eap7-guava-failureaccess | <0:1.0.1-1.redhat_00002.1.el8ea | 0:1.0.1-1.redhat_00002.1.el8ea |
| redhat/eap7-guava-libraries | <0:30.1.0-1.redhat_00001.1.el8ea | 0:30.1.0-1.redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.2.13-1.Final_redhat_00001.1.el8ea | 0:3.2.13-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.4.27-1.Final_redhat_00001.1.el8ea | 0:1.4.27-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-ejb-client | <0:4.0.39-1.SP1_redhat_00001.1.el8ea | 0:4.0.39-1.SP1_redhat_00001.1.el8ea |
| redhat/eap7-jboss-logmanager | <0:2.1.18-1.Final_redhat_00001.1.el8ea | 0:2.1.18-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-remoting | <0:5.0.20-2.SP1_redhat_00001.1.el8ea | 0:5.0.20-2.SP1_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-5.Final_redhat_00006.1.el8ea | 0:1.7.2-5.Final_redhat_00006.1.el8ea |
| redhat/eap7-narayana | <0:5.9.11-1.Final_redhat_00001.1.el8ea | 0:5.9.11-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.0.34-1.SP1_redhat_00001.1.el8ea | 0:2.0.34-1.SP1_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.6-1.GA_redhat_00002.1.el8ea | 0:7.3.6-1.GA_redhat_00002.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.10.11-1.Final_redhat_00001.1.el8ea | 0:1.10.11-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.25-1.Final_redhat_00001.1.el8ea | 0:1.0.25-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-naming-client | <0:1.0.14-1.Final_redhat_00001.1.el8ea | 0:1.0.14-1.Final_redhat_00001.1.el8ea |
| redhat/jboss-ejb-client | <4.0.39 | 4.0.39 |
| Red Hat JBoss EJB Client | <4.0.39 | |
| Red Hat JBoss Enterprise Application Platform Expansion Pack |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1929479
- https://github.com/wildfly/jboss-ejb-client/pull/503
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2021:0885
- https://access.redhat.com/errata/RHSA-2021:0873
- https://access.redhat.com/errata/RHSA-2021:0874
- https://access.redhat.com/errata/RHSA-2021:0872
- https://access.redhat.com/security/cve/cve-2021-20250
- https://access.redhat.com/errata/RHSA-2021:0974
- https://access.redhat.com/errata/RHSA-2021:2210
- https://access.redhat.com/errata/RHSA-2021:2755
- https://www.cve.org/CVERecord?id=CVE-2021-20250 https://nvd.nist.gov/vuln/detail/CVE-2021-20250
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-20250?
CVE-2021-20250 has a high severity rating due to its potential impact on data confidentiality.
How do I fix CVE-2021-20250?
To fix CVE-2021-20250, update the JBoss EJB client to version 4.0.39 or later, or apply the relevant patches provided by Red Hat.
What are the affected software packages for CVE-2021-20250?
CVE-2021-20250 affects several Red Hat packages including eap7-jboss-ejb-client and others listed in the advisory.
Is CVE-2021-20250 a remote exploitation vulnerability?
Yes, CVE-2021-20250 can potentially be exploited remotely due to its publicly accessible privileged actions.
What is the primary impact of CVE-2021-20250?
The primary impact of CVE-2021-20250 is information disclosure affecting the confidentiality of data on the server.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20250
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat jboss ejb client
- canonical/red hat jboss enterprise application platform expansion pack