GHSA-qr6x-62gq-4ccp

Suggest an improvement
Source
https://github.com/advisories/GHSA-qr6x-62gq-4ccp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qr6x-62gq-4ccp/GHSA-qr6x-62gq-4ccp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qr6x-62gq-4ccp
Aliases
Published
2025-01-31T17:34:30Z
Modified
2025-10-15T22:57:19.209144Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
WildFly improper RBAC permission
Details

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

Impact

Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests.

Patches

Fixed in WildFly Core 27.0.1.Final

Workarounds

No workaround available

References

See also: https://issues.redhat.com/browse/WFCORE-7153

Acknowledgements

The WildFly project would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue. https://www.gruppotim.it/it/footer/red-team.html

Database specific 
{
    "github_reviewed": true,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-284"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2025-01-31T17:34:30Z"
}
References

Affected packages

Maven / org.wildfly.core:wildfly-server

Package

Name
org.wildfly.core:wildfly-server
View open source insights on deps.dev
Purl
pkg:maven/org.wildfly.core/wildfly-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
27.0.1.Final

Affected versions

1.*

1.0.0.Alpha1
1.0.0.Alpha2
1.0.0.Alpha3
1.0.0.Alpha4
1.0.0.Alpha5
1.0.0.Alpha6
1.0.0.Alpha7
1.0.0.Alpha8
1.0.0.Alpha9
1.0.0.Alpha10
1.0.0.Alpha11
1.0.0.Alpha12
1.0.0.Alpha13
1.0.0.Alpha14
1.0.0.Alpha15
1.0.0.Alpha16
1.0.0.Alpha17
1.0.0.Alpha18
1.0.0.Alpha19
1.0.0.Beta1
1.0.0.Beta2
1.0.0.Beta3
1.0.0.Beta4
1.0.0.Beta5
1.0.0.Beta6
1.0.0.CR1
1.0.0.CR2
1.0.0.CR3
1.0.0.CR4
1.0.0.CR5
1.0.0.CR6
1.0.0.CR7
1.0.0.Final
1.0.1.Final
1.0.2.Final

2.*

2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.Alpha4
2.0.0.Alpha5
2.0.0.Alpha6
2.0.0.Alpha7
2.0.0.Alpha8
2.0.0.Alpha9
2.0.0.Alpha10
2.0.0.Alpha11
2.0.0.Alpha12
2.0.0.Alpha13
2.0.0.Beta1
2.0.0.Beta2
2.0.0.Beta3
2.0.0.Beta4
2.0.0.Beta5
2.0.0.Beta6
2.0.0.Beta7
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.CR4
2.0.0.CR5
2.0.0.CR6
2.0.0.CR7
2.0.0.CR8
2.0.0.CR9
2.0.0.Final
2.0.1.Final
2.0.2.Final
2.0.3.Final
2.0.4.Final
2.0.5.CR1
2.0.5.Final
2.0.6.Final
2.0.7.Final
2.0.8.Final
2.0.9.Final
2.0.10.Final
2.1.0.CR1
2.1.0.CR2
2.1.0.Final
2.2.0.CR1
2.2.0.CR2
2.2.0.CR3
2.2.0.CR4
2.2.0.CR5
2.2.0.CR6
2.2.0.CR7
2.2.0.CR8
2.2.0.CR9
2.2.0.Final
2.2.1.CR1
2.2.1.CR2
2.2.1.Final

3.*

3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Alpha7
3.0.0.Alpha8
3.0.0.Alpha9
3.0.0.Alpha10
3.0.0.Alpha11
3.0.0.Alpha12
3.0.0.Alpha13
3.0.0.Alpha14
3.0.0.Alpha15
3.0.0.Alpha16
3.0.0.Alpha17
3.0.0.Alpha18
3.0.0.Alpha19
3.0.0.Alpha20
3.0.0.Alpha21
3.0.0.Alpha22
3.0.0.Alpha23
3.0.0.Alpha24
3.0.0.Alpha25
3.0.0.Beta1
3.0.0.Beta2
3.0.0.Beta3
3.0.0.Beta5
3.0.0.Beta6
3.0.0.Beta7
3.0.0.Beta8
3.0.0.Beta9
3.0.0.Beta10
3.0.0.Beta11
3.0.0.Beta12
3.0.0.Beta13
3.0.0.Beta14
3.0.0.Beta15
3.0.0.Beta16
3.0.0.Beta17
3.0.0.Beta18
3.0.0.Beta19
3.0.0.Beta20
3.0.0.Beta21
3.0.0.Beta22
3.0.0.Beta23
3.0.0.Beta24
3.0.0.Beta25
3.0.0.Beta26
3.0.0.Beta27
3.0.0.Beta28
3.0.0.Beta29
3.0.0.Beta30
3.0.0.Beta31
3.0.0.CR1
3.0.0.Final
3.0.1.Final
3.0.2.CR1
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.0.5.Final
3.0.6.Final
3.0.7.Final
3.0.8.Final
3.0.9.Final
3.0.10.Final
3.1.0.Final

4.*

4.0.0.Alpha1
4.0.0.Alpha2
4.0.0.Alpha3
4.0.0.Alpha4
4.0.0.Alpha5
4.0.0.Alpha6
4.0.0.Alpha7
4.0.0.Alpha8
4.0.0.Alpha9
4.0.0.Alpha10
4.0.0.Beta1
4.0.0.Beta2
4.0.0.CR1
4.0.0.Final

5.*

5.0.0.Alpha1
5.0.0.Alpha2
5.0.0.Alpha3
5.0.0.Alpha4
5.0.0.Alpha5
5.0.0.Alpha6
5.0.0.Alpha7
5.0.0.Beta1
5.0.0.Beta2
5.0.0.Beta3
5.0.0.Beta4
5.0.0.Beta5
5.0.0.CR1
5.0.0.Final

6.*

6.0.0.Alpha1
6.0.0.Alpha2
6.0.0.Alpha3
6.0.0.Alpha4
6.0.0.Alpha5
6.0.0.Beta1
6.0.0.CR1
6.0.0.CR2
6.0.0.CR3
6.0.0.CR4
6.0.0.Final
6.0.1.Final
6.0.2.Final

7.*

7.0.0.Alpha1
7.0.0.Alpha2
7.0.0.Alpha3
7.0.0.Alpha4
7.0.0.Alpha5
7.0.0.Beta1
7.0.0.CR1
7.0.0.Final

8.*

8.0.0.Beta1
8.0.0.Beta2
8.0.0.Beta3
8.0.0.Beta4
8.0.0.Beta5
8.0.0.CR1
8.0.0.Final

9.*

9.0.0.Beta1
9.0.0.Beta2
9.0.0.Beta3
9.0.0.Beta4
9.0.0.Beta5
9.0.0.Beta6
9.0.0.Beta7
9.0.0.Final
9.0.1.Final
9.0.2.Final

10.*

10.0.0.Beta1
10.0.0.Beta2
10.0.0.Beta3
10.0.0.Beta4
10.0.0.Beta5
10.0.0.Beta6
10.0.0.Beta7
10.0.0.Beta8
10.0.0.Beta9
10.0.0.CR1
10.0.0.Final
10.0.2.Final
10.0.3.Final

11.*

11.0.0.Beta1
11.0.0.Beta2
11.0.0.Beta3
11.0.0.Beta4
11.0.0.Beta5
11.0.0.Beta6
11.0.0.Beta7
11.0.0.Beta8
11.0.0.Beta9
11.0.0.Beta10
11.0.0.Final
11.1.0.Final
11.1.1.Final

12.*

12.0.0.Beta1
12.0.0.Beta2
12.0.0.Beta3
12.0.0.Beta4
12.0.0.Final
12.0.1.Final
12.0.3.Final

13.*

13.0.0.Beta1
13.0.0.Beta2
13.0.0.Beta3
13.0.0.Beta4
13.0.0.Beta5
13.0.0.Beta6
13.0.0.Final
13.0.1.Final
13.0.2.Final
13.0.3.Final

14.*

14.0.0.Beta1
14.0.0.Beta2
14.0.0.Beta3
14.0.0.Beta4
14.0.0.Beta5
14.0.0.Final
14.0.1.Final

15.*

15.0.0.Beta1
15.0.0.Final
15.0.1.Final

16.*

16.0.0.Beta1
16.0.0.Beta2
16.0.0.Beta3
16.0.0.Beta4
16.0.0.Beta5
16.0.0.Final
16.0.1.Final

17.*

17.0.0.Beta1
17.0.0.Beta2
17.0.0.Beta3
17.0.0.Beta4
17.0.0.Beta5
17.0.0.Beta6
17.0.0.Beta7
17.0.0.Final
17.0.1.Final
17.0.2.Final
17.0.3.Final

18.*

18.0.0.Beta1
18.0.0.Beta2
18.0.0.Beta3
18.0.0.Beta4
18.0.0.Beta5
18.0.0.Final
18.0.1.Final
18.0.2.Final
18.0.3.Final
18.0.4.Final
18.1.0.Beta1
18.1.0.Final
18.1.1.Final
18.1.2.Final

19.*

19.0.0.Beta1
19.0.0.Beta2
19.0.0.Beta3
19.0.0.Beta5
19.0.0.Beta6
19.0.0.Beta7
19.0.0.Beta8
19.0.0.Beta9
19.0.0.Beta10
19.0.0.Beta11
19.0.0.Beta12
19.0.0.Beta13
19.0.0.Beta14
19.0.0.Beta15
19.0.0.Beta17
19.0.0.Beta18
19.0.0.Final
19.0.1.Final

20.*

20.0.0.Beta1
20.0.0.Beta2
20.0.0.Beta3
20.0.0.Beta4
20.0.0.Beta5
20.0.0.Beta6
20.0.0.Beta7
20.0.0.Beta8
20.0.0.Final
20.0.1.Final
20.0.2.Final

21.*

21.0.0.Beta1
21.0.0.Beta2
21.0.0.Beta3
21.0.0.Beta4
21.1.0.Beta1
21.1.0.Beta2
21.1.0.Final
21.1.1.Final

22.*

22.0.0.Beta1
22.0.0.Beta2
22.0.0.Beta3
22.0.0.Final
22.0.1.Final
22.0.2.Final

23.*

23.0.0.Beta1
23.0.0.Beta2
23.0.0.Beta3
23.0.0.Beta4
23.0.0.Beta5
23.0.0.Final
23.0.1.Final
23.0.2.Final
23.0.3.Final

24.*

24.0.0.Beta1
24.0.0.Beta2
24.0.0.Beta3
24.0.0.Final
24.0.1.Final

25.*

25.0.0.Beta1
25.0.0.Beta2
25.0.0.Beta3
25.0.0.Beta4
25.0.0.Beta5
25.0.0.Final
25.0.1.Final
25.0.2.Final

26.*

26.0.0.Beta1
26.0.0.Beta2
26.0.0.Beta3
26.0.0.Beta4
26.0.0.Beta5
26.0.0.Final
26.0.1.Final

27.*

27.0.0.Beta1
27.0.0.Beta2
27.0.0.Beta3
27.0.0.Beta4
27.0.0.Beta5
27.0.0.Beta6
27.0.0.Beta7
27.0.0.Final

Maven / org.wildfly.core:wildfly-server

Package

Name
org.wildfly.core:wildfly-server
View open source insights on deps.dev
Purl
pkg:maven/org.wildfly.core/wildfly-server

Affected ranges

Type
ECOSYSTEM
Events
Introduced
28.0.0.Beta1
Fixed
28.0.0.Beta2

Affected versions

28.*

28.0.0.Beta1