Description
A flaw was discovered in wildfly versions up to 16.0.0.Final that would allow local users who are able to execute init.d script to terminate arbitrary processes on the system. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing the init.d script to terminate any process as root.
References (8)
Core 8
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3805
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1107
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1108
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1106
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1140
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190517-0004/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:2413
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2020:0727
Scores
CVSS v3
4.7
EPSS
0.0008
EPSS Percentile
22.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-269
CWE-364
Status
published
Products (3)
redhat/jboss_enterprise_application_platform
6.0.0
redhat/jboss_enterprise_application_platform
7.0.0
redhat/wildfly
< 16.0.0
Published
May 03, 2019
Tracked Since
Feb 18, 2026