CVE-2023-4061: Wildfly-core: management user rbac permission allows unexpected reading of system-properties to an unauthorized actor
First published: Wed Aug 02 2023(Updated: )
A flaw was found in wildfly-core. A management user could use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system. This issue could allow a malicious user to access the system and obtain possible sensitive information from the system.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/wildfly-core | <15.0.30. | 15.0.30. |
| Redhat Jboss Enterprise Application Platform | ||
| Redhat Wildfly Core | <15.0.30 | |
| Redhat Jboss Enterprise Application Platform | =7.4 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| maven/org.wildfly.core:wildfly-controller | <22.0.0.Final | 22.0.0.Final |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-4061
- https://access.redhat.com/errata/RHSA-2023:5484
- https://access.redhat.com/errata/RHSA-2023:5485
- https://access.redhat.com/errata/RHSA-2023:5486
- https://access.redhat.com/errata/RHSA-2023:5488
- https://access.redhat.com/security/cve/CVE-2023-4061
- https://bugzilla.redhat.com/show_bug.cgi?id=2228608
- https://github.com/wildfly/wildfly-core/pull/5703
- https://github.com/wildfly/wildfly-core/commit/25728f370c2e90969854717ba4bb5182727f3f49
- https://github.com/advisories/GHSA-26qx-4m49-6cfr (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this security flaw?
The vulnerability ID for this security flaw is CVE-2023-4061.
What is the severity of CVE-2023-4061?
The severity of CVE-2023-4061 is medium (6.5).
What software is affected by CVE-2023-4061?
The following software is affected by CVE-2023-4061: wildfly-core (version up to 22.0.0.Final), Redhat Wildfly Core (up to version 15.0.30), Redhat JBoss Enterprise Application Platform (version 7.4), Redhat Jboss Enterprise Application Platform (text-only), Redhat Enterprise Linux 7.0, Redhat Enterprise Linux 8.0, Redhat Enterprise Linux 9.0.
How can a management user use the resolve-expression in the HAL interface?
A management user with rbac permission can use the resolve-expression in the HAL Interface to read possible sensitive information from the Wildfly system.
What is the impact of CVE-2023-4061?
The impact of CVE-2023-4061 is that a malicious user could access the system and obtain possible sensitive information from the system.
- collector/github-advisory-latest
- alias/GHSA-26qx-4m49-6cfr
- alias/CVE-2023-4061
- collector/github-advisory
- collector/nvd-api
- collector/nvd-cve
- agent/references
- agent/type
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/title
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- package-manager/maven
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- canonical/redhat wildfly core
- version/redhat jboss enterprise application platform/7.4
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/redhat