Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-6544

CVE-2023-4061 Management User RBAC permission allows unexpected reading of system-properties to an Unauthorized actor

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 22.0.0.Final
    • 21.1.0.Beta2, 21.1.1.Final, 22.0.0.Beta3
    • Management
    • None

      https://access.redhat.com/security/cve/CVE-2023-4061

       

      The handler for the 'resolve-expression' management operation is not checking the caller has RBAC permissions to read system properties or JVM settings (i.e. environment variables) before resolving, allowing callers to read those values by incorporating them into an expression passed to 'resolve-expression'.  Note that callers must be authenticated.

      As part of the work on this, besides adding the needed RBAC checks we decided to make reading system properties sensitive by default; the current default for reads is not sensitive.

              bstansbe@redhat.com Brian Stansberry
              bstansbe@redhat.com Brian Stansberry
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: