VulnerableCode Package Details - pkg:maven/org.wildfly.core/wildfly-server@27.0.1.Final

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-aqrs-a7v7-6kfh	WildFly improper RBAC permission A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. ### Impact Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests. ### Patches Fixed in [WildFly Core 27.0.1.Final](https://github.com/wildfly/wildfly-core/releases/tag/27.0.1.Final) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFCORE-7153 ### Acknowledgements The WildFly project would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue. https://www.gruppotim.it/it/footer/red-team.html	CVE-2025-23367 GHSA-qr6x-62gq-4ccp

Vulnerability

Summary

Aliases

VCID-aqrs-a7v7-6kfh

WildFly improper RBAC permission A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. ### Impact Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests. ### Patches Fixed in [WildFly Core 27.0.1.Final](https://github.com/wildfly/wildfly-core/releases/tag/27.0.1.Final) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFCORE-7153 ### Acknowledgements The WildFly project would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue. https://www.gruppotim.it/it/footer/red-team.html

CVE-2025-23367
GHSA-qr6x-62gq-4ccp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:19:48.590609+00:00	GitLab Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.core/wildfly-server/CVE-2025-23367.yml	38.4.0
2026-04-12T00:38:40.168454+00:00	GitLab Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.core/wildfly-server/CVE-2025-23367.yml	38.3.0
2026-04-07T04:56:55.209552+00:00	GHSA Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://github.com/advisories/GHSA-qr6x-62gq-4ccp	38.1.0
2026-04-03T00:46:39.436956+00:00	GitLab Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.core/wildfly-server/CVE-2025-23367.yml	38.1.0
2026-04-02T12:40:45.740986+00:00	GitLab Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.wildfly.core/wildfly-server/CVE-2025-23367.yml	38.0.0
2026-04-01T12:55:20.349197+00:00	GithubOSV Importer	Fixing	VCID-aqrs-a7v7-6kfh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qr6x-62gq-4ccp/GHSA-qr6x-62gq-4ccp.json	38.0.0