A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.
Recent assessments:
space-r7 at July 17, 2020 2:11pm UTC reported:
Versions of Wildfly below 20.0.0.Final
can load arbitrary classes through either JNDI or EJB invocation, which could potentially result in RCE. Despite that, authentication is required, making exploitation all the more difficult.
Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 3