CVE-2021-3536: XSS
First published: Fri Apr 09 2021(Updated: )
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/eap7-elytron-web | <0:1.6.3-1.Final_redhat_00001.1.el6ea | 0:1.6.3-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hal-console | <0:3.2.15-1.Final_redhat_00001.1.el6ea | 0:3.2.15-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-hibernate | <0:5.3.20-3.SP1_redhat_00001.1.el6ea | 0:5.3.20-3.SP1_redhat_00001.1.el6ea |
| redhat/eap7-infinispan | <0:9.4.23-1.Final_redhat_00001.1.el6ea | 0:9.4.23-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-ironjacamar | <0:1.4.33-1.Final_redhat_00001.1.el6ea | 0:1.4.33-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jberet | <0:1.3.8-1.Final_redhat_00001.1.el6ea | 0:1.3.8-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-1.Final_redhat_00001.1.el6ea | 0:5.0.23-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-7.Final_redhat_00008.1.el6ea | 0:1.7.2-7.Final_redhat_00008.1.el6ea |
| redhat/eap7-netty | <0:4.1.63-1.Final_redhat_00001.1.el6ea | 0:4.1.63-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-undertow | <0:2.0.38-1.SP1_redhat_00001.1.el6ea | 0:2.0.38-1.SP1_redhat_00001.1.el6ea |
| redhat/eap7-wildfly | <0:7.3.8-1.GA_redhat_00001.1.el6ea | 0:7.3.8-1.GA_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-elytron | <0:1.10.13-1.Final_redhat_00001.1.el6ea | 0:1.10.13-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-wildfly-http-client | <0:1.0.28-1.Final_redhat_00001.1.el6ea | 0:1.0.28-1.Final_redhat_00001.1.el6ea |
| redhat/eap7-elytron-web | <0:1.6.3-1.Final_redhat_00001.1.el7ea | 0:1.6.3-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hal-console | <0:3.2.15-1.Final_redhat_00001.1.el7ea | 0:3.2.15-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-hibernate | <0:5.3.20-3.SP1_redhat_00001.1.el7ea | 0:5.3.20-3.SP1_redhat_00001.1.el7ea |
| redhat/eap7-infinispan | <0:9.4.23-1.Final_redhat_00001.1.el7ea | 0:9.4.23-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-ironjacamar | <0:1.4.33-1.Final_redhat_00001.1.el7ea | 0:1.4.33-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jberet | <0:1.3.8-1.Final_redhat_00001.1.el7ea | 0:1.3.8-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-1.Final_redhat_00001.1.el7ea | 0:5.0.23-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-7.Final_redhat_00008.1.el7ea | 0:1.7.2-7.Final_redhat_00008.1.el7ea |
| redhat/eap7-netty | <0:4.1.63-1.Final_redhat_00001.1.el7ea | 0:4.1.63-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-undertow | <0:2.0.38-1.SP1_redhat_00001.1.el7ea | 0:2.0.38-1.SP1_redhat_00001.1.el7ea |
| redhat/eap7-wildfly | <0:7.3.8-1.GA_redhat_00001.1.el7ea | 0:7.3.8-1.GA_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-elytron | <0:1.10.13-1.Final_redhat_00001.1.el7ea | 0:1.10.13-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-wildfly-http-client | <0:1.0.28-1.Final_redhat_00001.1.el7ea | 0:1.0.28-1.Final_redhat_00001.1.el7ea |
| redhat/eap7-elytron-web | <0:1.6.3-1.Final_redhat_00001.1.el8ea | 0:1.6.3-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hal-console | <0:3.2.15-1.Final_redhat_00001.1.el8ea | 0:3.2.15-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-hibernate | <0:5.3.20-3.SP1_redhat_00001.1.el8ea | 0:5.3.20-3.SP1_redhat_00001.1.el8ea |
| redhat/eap7-infinispan | <0:9.4.23-1.Final_redhat_00001.1.el8ea | 0:9.4.23-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-ironjacamar | <0:1.4.33-1.Final_redhat_00001.1.el8ea | 0:1.4.33-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jberet | <0:1.3.8-1.Final_redhat_00001.1.el8ea | 0:1.3.8-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-remoting | <0:5.0.23-1.Final_redhat_00001.1.el8ea | 0:5.0.23-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-jboss-server-migration | <0:1.7.2-7.Final_redhat_00008.1.el8ea | 0:1.7.2-7.Final_redhat_00008.1.el8ea |
| redhat/eap7-netty | <0:4.1.63-1.Final_redhat_00001.1.el8ea | 0:4.1.63-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-undertow | <0:2.0.38-1.SP1_redhat_00001.1.el8ea | 0:2.0.38-1.SP1_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.3.8-1.GA_redhat_00001.1.el8ea | 0:7.3.8-1.GA_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-elytron | <0:1.10.13-1.Final_redhat_00001.1.el8ea | 0:1.10.13-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly-http-client | <0:1.0.28-1.Final_redhat_00001.1.el8ea | 0:1.0.28-1.Final_redhat_00001.1.el8ea |
| redhat/eap7-wildfly | <0:7.4.1-2.GA_redhat_00003.1.el8ea | 0:7.4.1-2.GA_redhat_00003.1.el8ea |
| redhat/eap7-wildfly | <0:7.4.1-2.GA_redhat_00003.1.el7ea | 0:7.4.1-2.GA_redhat_00003.1.el7ea |
| redhat/Wildfly | <23.0.2. | 23.0.2. |
| Red Hat Quarkus | ||
| Red Hat Data Grid | =8.0 | |
| Red Hat Decision Manager | =7.0 | |
| Red Hat Integration - Camel K | ||
| Red Hat Quarkus | ||
| Red Hat Integration - Service Registry | ||
| Red Hat JBoss A-MQ | =7 | |
| JBoss Enterprise Application Platform | =7.0 | |
| WildFly | <23.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1948001
- https://access.redhat.com/errata/RHSA-2021:2696
- https://access.redhat.com/errata/RHSA-2021:2693
- https://access.redhat.com/errata/RHSA-2021:2692
- https://access.redhat.com/errata/RHSA-2021:2694
- https://access.redhat.com/security/cve/cve-2021-3536
- https://access.redhat.com/errata/RHSA-2021:2755
- https://access.redhat.com/errata/RHSA-2021:2965
- https://access.redhat.com/errata/RHSA-2021:3656
- https://access.redhat.com/errata/RHSA-2021:3658
- https://access.redhat.com/errata/RHSA-2021:3660
- https://access.redhat.com/errata/RHSA-2021:5134
- https://www.cve.org/CVERecord?id=CVE-2021-3536 https://nvd.nist.gov/vuln/detail/CVE-2021-3536
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-3536?
CVE-2021-3536 has a severity rating that impacts both confidentiality and integrity due to an XSS vulnerability.
How do I fix CVE-2021-3536?
To fix CVE-2021-3536, upgrade Wildfly to version 23.0.2 or later.
Which versions of Wildfly are affected by CVE-2021-3536?
Versions of Wildfly prior to 23.0.2.Final are affected by CVE-2021-3536.
What type of vulnerability is CVE-2021-3536?
CVE-2021-3536 is classified as a Cross-Site Scripting (XSS) vulnerability.
Can CVE-2021-3536 be exploited via the admin console?
Yes, CVE-2021-3536 can be exploited through the admin console when creating new roles.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3536
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/redhat
- canonical/red hat quarkus
- canonical/red hat data grid
- version/red hat data grid/8.0
- canonical/red hat decision manager
- version/red hat decision manager/7.0
- canonical/red hat integration - camel k
- canonical/red hat integration - service registry
- canonical/red hat jboss a-mq
- version/red hat jboss a-mq/7
- canonical/jboss enterprise application platform
- version/jboss enterprise application platform/7.0
- canonical/wildfly