-
Bug
-
Resolution: Done
-
Critical
-
21.1.0.Beta2, 21.1.1.Final, 22.0.0.Beta3
-
None
https://access.redhat.com/security/cve/CVE-2023-4061
The handler for the 'resolve-expression' management operation is not checking the caller has RBAC permissions to read system properties or JVM settings (i.e. environment variables) before resolving, allowing callers to read those values by incorporating them into an expression passed to 'resolve-expression'. Note that callers must be authenticated.
As part of the work on this, besides adding the needed RBAC checks we decided to make reading system properties sensitive by default; the current default for reads is not sensitive.