CVE-2022-0866
- Source
- https://cve.org/CVERecord?id=CVE-2022-0866
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0866.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2022-0866
- Aliases
- Downstream
- Published
- 2022-05-10T21:15:08.817Z
- Modified
- 2026-03-14T11:23:00.722198Z
- Severity
-
- 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- [none]
- Details
-
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.
- References
Affected packages
Git / github.com/wildfly/wildfly
Affected ranges
- Type
- GIT
- Repo
- https://github.com/wildfly/wildfly
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroducedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "13.0" }, { "introduced": "11.0.0" }, { "fixed": "26.1.1" }, { "introduced": "0" }, { "last_affected": "27.0.0-alpha1" } ] }