CVE-2025-23367

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-23367

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23367.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-23367

Aliases

Downstream

RHSA-2025:3465

RHSA-2025:3989

Published

2025-01-30T15:15:18Z

Modified

2025-10-18T08:22:07.524565Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

References

Affected packages

Git / github.com/wildfly/wildfly

Affected ranges

Type: GIT
Repo: https://github.com/wildfly/wildfly
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

57463efc839fa497a3a17d6a419127f18a52e038

Affected versions

10.*

10.0.0.Alpha1

10.0.0.Alpha2

10.0.0.Alpha3

10.0.0.Alpha4

10.0.0.Alpha5

10.0.0.Alpha6

10.0.0.Beta1

10.0.0.Beta2

10.0.0.CR1

10.0.0.CR2

10.0.0.CR3

10.0.0.CR4

10.0.0.CR5

10.0.0.Final

11.*

11.0.0.Alpha1

11.0.0.Beta1

11.0.0.CR1

11.0.0.Final

12.*

12.0.0.Beta1

12.0.0.CR1

12.0.0.Final

13.*

13.0.0.Beta1

13.0.0.Final

14.*

14.0.0.Beta1

14.0.0.Beta2

14.0.0.Final

15.*

15.0.0.Beta1

15.0.0.Final

16.*

16.0.0.Beta1

16.0.0.Final

17.*

17.0.0.Alpha1

17.0.0.Beta1

17.0.0.Final

18.*

18.0.0.Beta1

18.0.0.Final

19.*

19.0.0.Beta1

19.0.0.Beta2

20.*

20.0.0.Beta1

20.0.0.Final

21.*

21.0.0.Beta1

21.0.0.Final

22.*

22.0.0.Alpha1

22.0.0.Beta1

22.0.0.Final

23.*

23.0.0.Beta1

23.0.0.Final

24.*

24.0.0.Beta1

25.*

25.0.0.Beta1

25.0.0.Final

26.*

26.0.0.Beta1

27.*

27.0.0.Alpha1

27.0.0.Alpha2

27.0.0.Alpha3

27.0.0.Alpha4

27.0.0.Beta1

27.0.0.Final

7.*

7.0.0.Alpha1

7.0.0.Alpha1-final

7.0.0.Beta1-prerelease

7.0.0.Beta2

7.0.0.Beta2-prerelease

7.0.0.Beta3

7.0.0.CR1

7.0.0.Final

7.0.0.Final-prerelease

7.0.0.Final-prerelease2

7.0.0.Final-prerelease3

7.1.0.Alpha1

7.1.0.Beta1

7.1.0.CR1

7.1.0.Final

7.1.0.Final-prerelease

7.1.0.Final-prerelease2

7.1.1.Final

7.1.2-prerelease

7.1.2.Final

7.2.0.Final

7.2.0.Final-prerelease1

8.*

8.0.0.Alpha1

8.0.0.Alpha2

8.0.0.Alpha3

8.0.0.Alpha4

8.0.0.Beta1

8.0.0.CR1

8.0.0.Final

8.1.0.CR1

8.1.0.CR2

9.*

9.0.0.Beta1

9.0.0.Beta2

9.0.0.CR1

Other

Pre_EE10_Big_Bang