CVE-2022-0866

CWE-863 — Incorrect Authorization CWE-12204 documents4 sources

Severity

5.3MEDIUM

EPSS

0.3%

top 49.38%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Wildfly Redhat Jboss Enterprise Application Platform Redhat Openstack Platform

Timeline

PublishedMay 10

Latest updateMay 11

Description

This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶NVDredhat/jboss_enterprise_application_platform

▶NVDredhat/wildfly11.0.0 — 26.1.1+1

▶CVEListV5wildflyJBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.

▶NVDredhat/openstack_platform13.0

🔴Vulnerability Details

GHSA

GHSA-pjxg-p9c7-7c3v: This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a↗2022-05-11

▶

CVEList

CVE-2022-0866: This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a↗2022-05-10

▶

📋Vendor Advisories

Red Hat

wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security enabled↗2022-05-03

▶