Wildfly@* Security Vulnerabilities and Issues — Wildfly@* CVE List

Lucene search

WildflyWildfly*

11 matches found

CVE•added 2021/05/20 1:15 p.m.•202 views

CVE-2021-3536

A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.

4.8CVSS5AI score0.00284EPSS

CVE•added 2022/05/24 7:15 p.m.•194 views

CVE-2021-3717

A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfl...

7.8CVSS7.2AI score0.00038EPSS

CVE•added 2020/09/16 4:15 p.m.•142 views

CVE-2020-1748

A flaw was found in all supported versions before wildfly-elytron-1.6.8.Final-redhat-00001, where the WildFlySecurityManager checks were bypassed when using custom security managers, resulting in an improper authorization. This flaw leads to information exposure by unauthenticated access to secure ...

7.5CVSS7.2AI score0.0031EPSS

CVE•added 2021/05/13 2:15 p.m.•135 views

CVE-2021-20250

A flaw was found in wildfly. The JBoss EJB client has publicly accessible privileged actions which may lead to information disclosure on the server it is deployed on. The highest threat from this vulnerability is to data confidentiality.

4.3CVSS4.3AI score0.00171EPSS

CVE•added 2020/09/16 7:15 p.m.•120 views

CVE-2020-10718

A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from this vulnerability is ...

7.5CVSS7.2AI score0.0027EPSS

CVE•added 2022/05/10 9:15 p.m.•120 views

CVE-2022-0866

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org....

5.3CVSS5.3AI score0.002EPSS

CVE•added 2020/09/17 3:15 p.m.•118 views

CVE-2020-14338

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue...

5.3CVSS6.4AI score0.00588EPSS

CVE•added 2021/06/07 5:15 p.m.•112 views

CVE-2020-1719

A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.

5.5CVSS5.4AI score0.00122EPSS

CVE•added 2020/12/08 1:15 a.m.•97 views

CVE-2020-27822

A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availability of the server. ...

7.1CVSS5.5AI score0.00339EPSS

CVE•added 2020/11/24 7:15 p.m.•95 views

CVE-2020-25640

A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.

5.3CVSS5.2AI score0.00354EPSS

CVE•added 2022/04/18 5:15 p.m.•85 views

CVE-2021-3503

A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality.

4.3CVSS4.3AI score0.00445EPSS