CVE-2025-23367

MEDIUM

Red Hat JBoss Enterprise Application Platform 7.4 - Improper Access Control in Suspend and Resume Handlers

Title source: llm
STIX 2.1

Description

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

References (8)

Core 8
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3990
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3992
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2025-23367
Vendor Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2337620
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3465
Issue Tracking vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3467
Issue Tracking vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:3989

Scores

CVSS v3 6.5
EPSS 0.0020
EPSS Percentile 41.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-284
Status published
Products (43)
org.wildfly.core/wildfly-server 0 - 27.0.1.FinalMaven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat Data Grid 8
Red Hat/Red Hat Fuse 7
Red Hat/Red Hat JBoss Data Grid 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7
Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:4.1.119-1.Final_redhat_00004.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 0:7.4.21-3.GA_29548_redhat_00001.1.el8eap
Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 0:4.1.119-1.Final_redhat_00004.1.el9eap
Red Hat/Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 0:7.4.21-3.GA_29548_redhat_00001.1.el9eap
... and 33 more
Published Jan 30, 2025
Tracked Since Feb 18, 2026