CVE-2019-14843 — DEPRECATED: Authentication Bypass Issues in RED HAT Wildfly-security-manager

CWE-592 — DEPRECATED: Authentication Bypass Issues CWE-863 — Incorrect Authorization5 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.2%

top 60.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Wildfly-security-manager Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedJan 7

Latest updateMay 24

Description

A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester. This flaw could be used by a malicious app deployed on the app server to access unauthorized information and possibly conduct further attacks. Versions shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7 are vulnerable to this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5red_hat/wildfly-security-managerAs shipped with Red Hat Jboss EAP 7 and Red Hat SSO 7

▶NVDredhat/jboss_enterprise_application_platform7.2.0

▶NVDredhat/single_sign-on7.3

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-767r-575r-6x2j: A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester↗2022-05-24

▶

CVEList

CVE-2019-14843: A flaw was found in Wildfly Security Manager, running under JDK 11 or 8, that authorized requests for any requester↗2020-01-07

▶

📋Vendor Advisories

Red Hat

wildfly-security-manager: security manager authorization bypass↗2019-09-17

▶

💬Community

Bugzilla

CVE-2019-14843 wildfly-security-manager: security manager authorization bypass↗2019-09-17

▶