Bitnami package
wildfly
pkg:bitnami/wildfly
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-23367 | — | < 27.0.1 | 27.0.1 | Jan 30, 2025 | A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Mo | ||
| CVE-2022-1278 | — | < 27.0.0 | 27.0.0 | Sep 13, 2022 | A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain. | ||
| CVE-2021-3644 | — | >= 16.0.0, < 16.0.1 | 16.0.1 | Aug 26, 2022 | A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access a | ||
| CVE-2022-0866 | — | >= 11.0.0, < 26.1.1 | 26.1.1 | May 10, 2022 | This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field | ||
| CVE-2021-3503 | — | < 23.0.1 | 23.0.1 | Apr 18, 2022 | A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality. | ||
| CVE-2020-1719 | — | < 20.0.0 | 20.0.0 | Jun 7, 2021 | A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected. | ||
| CVE-2020-14317 | — | — | — | Jun 2, 2021 | It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing | ||
| CVE-2021-3536 | — | < 23.0.2 | 23.0.2 | May 20, 2021 | A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity. | ||
| CVE-2020-27822 | — | >= 19.0.0, < 19.0.1 | 19.0.1 | Dec 8, 2020 | A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availabil | ||
| CVE-2020-25640 | — | < 21.0.0 | 21.0.0 | Nov 24, 2020 | A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file. | ||
| CVE-2020-25689 | — | < 21.0.1 | 21.0.1 | Oct 30, 2020 | A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of | ||
| CVE-2020-10718 | — | < 13.0.0 | 13.0.0 | Sep 16, 2020 | A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from thi | ||
| CVE-2020-10740 | — | < 20.0.0 | 20.0.0 | Jun 22, 2020 | A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly. |
- CVE-2025-23367Jan 30, 2025affected < 27.0.1fixed 27.0.1
A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Mo
- CVE-2022-1278Sep 13, 2022affected < 27.0.0fixed 27.0.0
A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.
- CVE-2021-3644Aug 26, 2022affected >= 16.0.0, < 16.0.1fixed 16.0.1
A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access a
- CVE-2022-0866May 10, 2022affected >= 11.0.0, < 26.1.1fixed 26.1.1
This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field
- CVE-2021-3503Apr 18, 2022affected < 23.0.1fixed 23.0.1
A flaw was found in Wildfly where insufficient RBAC restrictions may lead to expose metrics data. The highest threat from this vulnerability is to the confidentiality.
- CVE-2020-1719Jun 7, 2021affected < 20.0.0fixed 20.0.0
A flaw was found in wildfly. The EJBContext principle is not popped back after invoking another EJB using a different Security Domain. The highest threat from this vulnerability is to data confidentiality and integrity. Versions before wildfly 20.0.0.Final are affected.
- CVE-2020-14317Jun 2, 2021
It was found that the issue for security flaw CVE-2019-3805 appeared again in a further version of JBoss Enterprise Application Platform - Continuous Delivery (EAP-CD) introducing regression. An attacker could exploit this by modifying the PID file in /var/run/jboss-eap/ allowing
- CVE-2021-3536May 20, 2021affected < 23.0.2fixed 23.0.2
A flaw was found in Wildfly in versions before 23.0.2.Final while creating a new role in domain mode via the admin console, it is possible to add a payload in the name field, leading to XSS. This affects Confidentiality and Integrity.
- CVE-2020-27822Dec 8, 2020affected >= 19.0.0, < 19.0.1fixed 19.0.1
A flaw was found in Wildfly affecting versions 19.0.0.Final, 19.1.0.Final, 20.0.0.Final, 20.0.1.Final, and 21.0.0.Final. When an application uses the OpenTracing API's java-interceptors, there is a possibility of a memory leak. This flaw allows an attacker to impact the availabil
- CVE-2020-25640Nov 24, 2020affected < 21.0.0fixed 21.0.0
A flaw was discovered in WildFly before 21.0.0.Final where, Resource adapter logs plain text JMS password at warning level on connection error, inserting sensitive information in the log file.
- CVE-2020-25689Oct 30, 2020affected < 21.0.1fixed 21.0.1
A memory leak flaw was found in WildFly in all versions up to 21.0.0.Final, where host-controller tries to reconnect in a loop, generating new connections which are not properly closed while not able to connect to domain-controller. This flaw allows an attacker to cause an Out of
- CVE-2020-10718Sep 16, 2020affected < 13.0.0fixed 13.0.0
A flaw was found in Wildfly before wildfly-embedded-13.0.0.Final, where the embedded managed process API has an exposed setting of the Thread Context Classloader (TCCL). This setting is exposed as a public method, which can bypass the security manager. The highest threat from thi
- CVE-2020-10740Jun 22, 2020affected < 20.0.0fixed 20.0.0
A vulnerability was found in Wildfly in versions before 20.0.0.Final, where a remote deserialization attack is possible in the Enterprise Application Beans(EJB) due to lack of validation/filtering capabilities in wildfly.