VulnerableCode Package Details - pkg:maven/org.wildfly.core/wildfly-server@28.0.0.Beta1

Search for packages

Vulnerability	Summary	Fixed by
VCID-aqrs-a7v7-6kfh Aliases: CVE-2025-23367 GHSA-qr6x-62gq-4ccp	WildFly improper RBAC permission A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. ### Impact Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests. ### Patches Fixed in [WildFly Core 27.0.1.Final](https://github.com/wildfly/wildfly-core/releases/tag/27.0.1.Final) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFCORE-7153 ### Acknowledgements The WildFly project would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue. https://www.gruppotim.it/it/footer/red-team.html	28.0.0.Beta2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-aqrs-a7v7-6kfh
Aliases:
CVE-2025-23367
GHSA-qr6x-62gq-4ccp

WildFly improper RBAC permission A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. ### Impact Standalone server (Domain mode is not affected) with use access control enabled with RBAC provider can be suspended or resumed by unauthorized users. When a server is suspended, the server will stop receiving user requests. The resume handle does the opposite; it will cause a suspended server to start accepting user requests. ### Patches Fixed in [WildFly Core 27.0.1.Final](https://github.com/wildfly/wildfly-core/releases/tag/27.0.1.Final) ### Workarounds No workaround available ### References See also: https://issues.redhat.com/browse/WFCORE-7153 ### Acknowledgements The WildFly project would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue. https://www.gruppotim.it/it/footer/red-team.html

28.0.0.Beta2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-07T04:56:55.162363+00:00	GHSA Importer	Affected by	VCID-aqrs-a7v7-6kfh	https://github.com/advisories/GHSA-qr6x-62gq-4ccp	38.1.0
2026-04-01T12:55:20.393135+00:00	GithubOSV Importer	Affected by	VCID-aqrs-a7v7-6kfh	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qr6x-62gq-4ccp/GHSA-qr6x-62gq-4ccp.json	38.0.0

2026-04-07T04:56:55.162363+00:00

GHSA Importer

Affected by

VCID-aqrs-a7v7-6kfh

https://github.com/advisories/GHSA-qr6x-62gq-4ccp

38.1.0

2026-04-01T12:55:20.393135+00:00

GithubOSV Importer

Affected by

VCID-aqrs-a7v7-6kfh

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/01/GHSA-qr6x-62gq-4ccp/GHSA-qr6x-62gq-4ccp.json

38.0.0

Next non-vulnerable version	28.0.0.Beta2
Latest non-vulnerable version	28.0.0.Beta2
Risk	3.1