CVE-2025-23367 - Vulnerability Details

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Build Keycloak Jboss Data Grid Jboss Enterprise Application Platform Jboss Enterprise Bpms Platform Jboss Fuse Jbosseapxp Red Hat Single Sign On

No data.

Package	CPE	Advisory	Released Date
Red Hat JBoss Enterprise Application Platform 7
org.wildfly.core/wildfly-server	cpe:/a:redhat:jboss_enterprise_application_platform:7.4	RHSA-2025:3467	2025-04-01T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el8eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8	RHSA-2025:3465	2025-04-01T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el9eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9	RHSA-2025:3465	2025-04-01T00:00:00Z
Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2025:3465	2025-04-01T00:00:00Z
eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el7eap	cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7	RHSA-2025:3465	2025-04-01T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:3465
https://access.redhat.com/errata/RHSA-2025:3467
https://access.redhat.com/security/cve/CVE-2025-23367
https://bugzilla.redhat.com/show_bug.cgi?id=2337620
https://github.com/advisories/GHSA-qr6x-62gq-4ccp
https://nvd.nist.gov/vuln/detail/CVE-2025-23367
https://www.cve.org/CVERecord?id=CVE-2025-23367

History

Tue, 01 Apr 2025 13:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8 cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9
References		https://access.redhat.com/errata/RHSA-2025:3465

Tue, 01 Apr 2025 13:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:jboss_enterprise_application_platform:7~~	cpe:/a:redhat:jboss_enterprise_application_platform:7.4
References		https://access.redhat.com/errata/RHSA-2025:3467

Tue, 04 Mar 2025 03:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 31 Jan 2025 20:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/advisories/GHSA-qr6x-62gq-4ccp

Fri, 31 Jan 2025 01:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-23367 https://www.cve.org/CVERecord?id=CVE-2025-23367
Metrics	threat_severity `None`	threat_severity `Moderate`

Thu, 30 Jan 2025 14:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
Title		Org.wildfly.core:wildfly-server: wildfly improper rbac permission
First Time appeared		Redhat Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat red Hat Single Sign On
Weaknesses		CWE-284
CPEs		cpe:/a:redhat:build_keycloak: cpe:/a:redhat:jboss_data_grid:7 cpe:/a:redhat:jboss_data_grid:8 cpe:/a:redhat:jboss_enterprise_application_platform:7 cpe:/a:redhat:jboss_enterprise_application_platform:8 cpe:/a:redhat:jboss_enterprise_bpms_platform:7 cpe:/a:redhat:jboss_fuse:7 cpe:/a:redhat:jbosseapxp cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products		Redhat Redhat build Keycloak Redhat jboss Data Grid Redhat jboss Enterprise Application Platform Redhat jboss Enterprise Bpms Platform Redhat jboss Fuse Redhat jbosseapxp Redhat red Hat Single Sign On
References		https://access.redhat.com/security/cve/CVE-2025-23367 https://bugzilla.redhat.com/show_bug.cgi?id=2337620
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-01-30T14:30:04.227Z

Updated: 2025-04-01T13:15:24.222Z

Reserved: 2025-01-14T15:23:42.645Z

Link: CVE-2025-23367

Vulnrichment

Updated: 2025-02-12T19:45:10.860Z

NVD

Status : Awaiting Analysis

Published: 2025-01-30T15:15:18.610

Modified: 2025-04-01T14:15:22.157

Link: CVE-2025-23367

Redhat

Severity : Moderate

Publid Date: 2025-01-30T00:00:00Z

Links: CVE-2025-23367 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-23367", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2025-01-14T15:23:42.645Z", "datePublished": "2025-01-30T14:30:04.227Z", "dateUpdated": "2025-04-01T13:15:24.222Z"}, "containers": {"cna": {"title": "Org.wildfly.core:wildfly-server: wildfly improper rbac permission", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action."}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "27.0.1.Final", "versionType": "semver"}, {"status": "affected", "version": "28.0.0.Beta1", "lessThan": "28.0.0.Beta2", "versionType": "semver"}], "packageName": "wildfly-core", "collectionURL": "https://github.com/wildfly/wildfly-core", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "org.wildfly.core/wildfly-server", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty-transport-native-epoll", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:7.4.21-3.GA_29548_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty-transport-native-epoll", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:7.4.21-3.GA_29548_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el7eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-netty-transport-native-epoll", "defaultStatus": "affected", "versions": [{"version": "0:4.1.119-1.Final_redhat_00004.1.el7eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "eap7-wildfly", "defaultStatus": "affected", "versions": [{"version": "0:7.4.21-3.GA_29548_redhat_00001.1.el7eap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Data Grid 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_data_grid:8"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_data_grid:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat Process Automation 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "org.wildfly.core/wildfly-server", "defaultStatus": "unknown", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3465", "name": "RHSA-2025:3465", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3467", "name": "RHSA-2025:3467", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-23367", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337620", "name": "RHBZ#2337620", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/advisories/GHSA-qr6x-62gq-4ccp"}], "datePublic": "2025-01-30T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "Improper Access Control", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-284: Improper Access Control", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2025-01-14T14:56:46.389000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-30T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-01T13:15:24.222Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T14:54:55.951787Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:51:12.850Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-23367", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T14:54:55.951787Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-12T19:45:10.860Z"}}], "cna": {"title": "Org.wildfly.core:wildfly-server: wildfly improper rbac permission", "credits": [{"lang": "en", "value": "Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"versions": [{"status": "affected", "version": "0", "lessThan": "27.0.1.Final", "versionType": "semver"}, {"status": "affected", "version": "28.0.0.Beta1", "lessThan": "28.0.0.Beta2", "versionType": "semver"}], "packageName": "wildfly-core", "collectionURL": "https://github.com/wildfly/wildfly-core", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty-transport-native-epoll", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "versions": [{"status": "unaffected", "version": "0:7.4.21-3.GA_29548_redhat_00001.1.el8eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty-transport-native-epoll", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "versions": [{"status": "unaffected", "version": "0:7.4.21-3.GA_29548_redhat_00001.1.el9eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el7eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "versions": [{"status": "unaffected", "version": "0:4.1.119-1.Final_redhat_00004.1.el7eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-netty-transport-native-epoll", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "versions": [{"status": "unaffected", "version": "0:7.4.21-3.GA_29548_redhat_00001.1.el7eap", "lessThan": "*", "versionType": "rpm"}], "packageName": "eap7-wildfly", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:8"], "vendor": "Red Hat", "product": "Red Hat Data Grid 8", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_data_grid:7"], "vendor": "Red Hat", "product": "Red Hat JBoss Data Grid 7", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_bpms_platform:7"], "vendor": "Red Hat", "product": "Red Hat Process Automation 7", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "org.wildfly.core/wildfly-server", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}], "timeline": [{"lang": "en", "time": "2025-01-14T14:56:46.389000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2025-01-30T00:00:00+00:00", "value": "Made public."}], "datePublic": "2025-01-30T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:3465", "name": "RHSA-2025:3465", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2025:3467", "name": "RHSA-2025:3467", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2025-23367", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337620", "name": "RHBZ#2337620", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/advisories/GHSA-qr6x-62gq-4ccp"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "Improper Access Control"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2025-04-01T13:15:24.222Z"}, "x_redhatCweChain": "CWE-284: Improper Access Control"}}, "cveMetadata": {"cveId": "CVE-2025-23367", "state": "PUBLISHED", "dateUpdated": "2025-04-01T13:15:24.222Z", "dateReserved": "2025-01-14T15:23:42.645Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2025-01-30T14:30:04.227Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en el proveedor Wildfly Server Role Based Access Control (RBAC). Cuando la autorizaci\u00f3n para controlar las operaciones de administraci\u00f3n se asegura mediante el proveedor de control de acceso basado en roles, un usuario sin los privilegios requeridos puede suspender o reanudar el servidor. Se supone que un usuario con un rol de Monitor o Auditor solo tiene permisos de acceso de lectura y no deber\u00eda poder suspender el servidor. La vulnerabilidad se debe a que los controladores de Suspensi\u00f3n y Reanudaci\u00f3n no realizan comprobaciones de autorizaci\u00f3n para validar si el usuario actual tiene los permisos requeridos para continuar con la acci\u00f3n."}], "id": "CVE-2025-23367", "lastModified": "2025-04-01T14:15:22.157", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2025-01-30T15:15:18.610", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3465"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2025:3467"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2025-23367"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337620"}, {"source": "secalert@redhat.com", "url": "https://github.com/advisories/GHSA-qr6x-62gq-4ccp"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2025:3467", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4", "package": "org.wildfly.core/wildfly-server", "product_name": "Red Hat JBoss Enterprise Application Platform 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el8", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el9", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el9eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-netty-transport-native-epoll-0:4.1.119-1.Final_redhat_00004.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}, {"advisory": "RHSA-2025:3465", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.4::el7", "package": "eap7-wildfly-0:7.4.21-3.GA_29548_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7", "release_date": "2025-04-01T00:00:00Z"}], "bugzilla": {"description": "org.wildfly.core:wildfly-server: Wildfly improper RBAC permission", "id": "2337620", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2337620"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-284", "details": ["A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.", "A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. \nThe vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-23367", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Will not fix", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Out of support scope", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Out of support scope", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Out of support scope", "package_name": "org.wildfly.core/wildfly-server", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2025-01-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-23367\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23367\nhttps://github.com/advisories/GHSA-qr6x-62gq-4ccp"], "statement": "Red Hat has evaluated this issue and the attacker must be authenticated as a user that belongs to the \"Monitor\" or \"Auditor\" management groups. It requires previous privileges to jeopardize an environment.", "threat_severity": "Moderate"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object