VDB
CVE-2025-23367
CVE-2025-23367
PUBLISHED
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
EPSS 0.20% · 41.9th percentile
Risk Scores
EPSS Score
0.20%
41.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | wildfly | 0, 28.0.0 |
| Bitnami | wildfly | 28.0.0, 0 |
Timeline
- Jan 14, 2025 CVE ID Reserved
- Jan 30, 2025 CVE Published
- Jan 31, 2025 EPSS Score
- Feb 1, 2025 Coalition ESS Score
- Feb 15, 2025 EPSS Score
- Mar 2, 2025 EPSS Score
- Mar 17, 2025 EPSS Score
- Apr 1, 2025 EPSS Score
- Apr 1, 2025 Coalition ESS Score
- Apr 13, 2025 Coalition ESS Score
- Apr 16, 2025 EPSS Score
- Apr 19, 2025 Coalition ESS Score
References
- https://access.redhat.com/errata/RHSA-2025:3467 url
- https://access.redhat.com/errata/RHSA-2025:3989 url
- https://access.redhat.com/security/cve/CVE-2025-23367 url
- https://bugzilla.redhat.com/show_bug.cgi?id=2337620 url
- https://github.com/advisories/GHSA-qr6x-62gq-4ccp url
- https://nvd.nist.gov/vuln/detail/CVE-2025-23367 url
- https://access.redhat.com/errata/RHSA-2025:3990 url
- https://access.redhat.com/errata/RHSA-2025:3992 url
- https://access.redhat.com/errata/RHSA-2025:3465 url