CVE-2019-14843

Advisory lineage Upstream: 0 Downstream: 8

Downstream

RHSA-2019:2973 RHSA-2019:4018 RHSA-2019:4019 RHSA-2019:4020 RHSA-2019:4040 RHSA-2019:4041

Modified

Published: 07 Jan 2020, 16:34

Last modified:05 Aug 2024, 00:26

Vulnerability Summary

Overall Risk (default)

medium

35/100

CVSS Score

8.8 HIGH

v3.1 (nvd)

EPSS Score

0.18% LOW

0% probability 0.00%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

07 Jan 2020, 16:34

Published

Vulnerability first disclosed

05 Aug 2024, 00:26

Last Modified

Vulnerability information updated

Description

A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.

CVSS Metrics

v3.1•HIGH•Score: 8.8CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
v2.0•MEDIUM•Score: 6.5AV:N/AC:L/Au:S/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 0.18%• Percentile: 39%

Techniques & Countermeasures

CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-592•DEPRECATED: Authentication Bypass Issues
This weakness has been deprecated because it covered redundant concepts already described in CWE-287.

Affected Systems

red hat•wildfly-security-manager
As shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7
redhat•jboss_enterprise_application_platform
7.2.0
redhat•single_sign-on
7.3 | na

References (1)

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14843