CVE-2019-14838

Aliases:GHSA-82v2-f875-73g9

Advisory lineage Upstream: 0 Downstream: 7

Downstream

RHSA-2019:3082 RHSA-2019:4018 RHSA-2019:4019 RHSA-2019:4020 RHSA-2019:4040 RHSA-2019:4041

Modified

Published: 14 Oct 2019, 14:32

Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)

low

21/100

CVSS Score

5.2 MEDIUM

v3.0 (cve.org)

EPSS Score

0.38% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

14 Oct 2019, 14:32

Published

Vulnerability first disclosed

05 Aug 2024, 00:26

Last Modified

Vulnerability information updated

Description

A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server

CVSS Metrics

v3.1•MEDIUM•Score: 4.9CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
v3.0•MEDIUM•Score: 5.2CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:H
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:N/I:P/A:N

EPSS Trends

Current EPSS score: 0.38%• Percentile: 60%

Techniques & Countermeasures

CWE-269•Improper Privilege Management
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-284•Improper Access Control
The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Affected Systems

org.wildfly.core•wildfly-host-controller
< 7.2.5.GA
red hat•wildfly-core
< 7.2.5.GA
redhat•data_grid
7.3.4
redhat•jboss_enterprise_application_platform
7.2.0 | 7.2.5 | 7.3.0 | 7.2.4
redhat•single_sign-on
7.3.5
redhat•wildfly_core
7.0.0 | 7.0.0:alpha1 | 7.0.0:alpha2 | 7.0.0:alpha3 | 7.0.0:alpha4 | 7.0.0:alpha5 | 7.0.0:beta1 | 7.0.0:cr1