6.5

CVE-2025-23367

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. 
The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Collection URLhttps://github.com/wildfly/wildfly-core
Package wildfly-core
Default Statusunaffected
Version < 27.0.1.Final
Version 0
Status affected
Version < 28.0.0.Beta2
Version 28.0.0.Beta1
Status affected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7
Default Statusunaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
Default Statusaffected
Version < *
Version 0:7.4.21-3.GA_29548_redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el9eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el9eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
Default Statusaffected
Version < *
Version 0:7.4.21-3.GA_29548_redhat_00001.1.el9eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el7eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Default Statusaffected
Version < *
Version 0:4.1.119-1.Final_redhat_00004.1.el7eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
Default Statusaffected
Version < *
Version 0:7.4.21-3.GA_29548_redhat_00001.1.el7eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:2.16.1-1.redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:1.80.0-1.redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:800.7.0-2.GA_redhat_00002.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:6.2.35-1.Final_redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:3.0.13-1.Final_redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:3.0.1-1.redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:4.0.11-1.redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:1.0.4-3.redhat_00004.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:3.1.10-1.redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:5.1.5-1.Final_redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:8.0.7-3.GA_redhat_00004.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
Default Statusaffected
Version < *
Version 0:2.2.9-1.Final_redhat_00001.1.el8eap
Status unaffected
VendorRed Hat
Product Red Hat Build of Keycloak
Default Statusunaffected
VendorRed Hat
Product Red Hat Data Grid 8
Default Statusaffected
VendorRed Hat
Product Red Hat Fuse 7
Default Statusunknown
VendorRed Hat
Product Red Hat JBoss Data Grid 7
Default Statusunknown
VendorRed Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusunaffected
VendorRed Hat
Product Red Hat Process Automation 7
Default Statusunknown
VendorRed Hat
Product Red Hat Single Sign-On 7
Default Statusunknown
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.09% 0.273
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
secalert@redhat.com 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.