CVE-2025-23367
Org.wildfly.core:wildfly-server: wildfly improper rbac permission
CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.
| CWE | CWE-284 |
| Published | Jan 30, 2025 |
| Last Updated | Apr 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for
Be the first to know when new medium vulnerabilities are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
Red Hat / Red Hat JBoss Enterprise Application Platform 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9
All versions affected Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat Data Grid 8
All versions affected Red Hat / Red Hat Fuse 7
All versions affected Red Hat / Red Hat JBoss Data Grid 7
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
All versions affected Red Hat / Red Hat Process Automation 7
All versions affected Red Hat / Red Hat Single Sign-On 7
All versions affected References
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3465 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3467 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3989 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3990 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:3992 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-23367 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2337620 github.com: https://github.com/advisories/GHSA-qr6x-62gq-4ccp
Credits
Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue.