CVE-2019-14838
wildfly-core: Incorrect privileges for 'Monitor', 'Auditor' and 'Deployer' user by default
Severity Score
4.9
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
A flaw was found in wildfly-core before 7.2.5.GA. The Management users with Monitor, Auditor and Deployer Roles should not be allowed to modify the runtime state of the server
Se detectó un error en wildfly-core en versiones anteriores a la 7.2.5.GA. Los usuarios de administración con funciones de monitor, auditor e implementador no deberían poder modificar el estado de tiempo de ejecución del servidor
It was found that Wildfly users had default user permissions set incorrectly. A malicious user could use this flaw to access unauthorized controls for the application server.
Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.2.5 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.2.4, and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.2.5 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include bypass and denial of service vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2019-08-10 CVE Reserved
- 2019-10-14 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-269: Improper Privilege Management
- CWE-284: Improper Access Control
CAPEC
References (14)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:3082 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:3083 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4018 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4019 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4020 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4021 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4040 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4041 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4042 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2019:4045 | 2020-10-13 | |
| https://access.redhat.com/errata/RHSA-2020:0728 | 2020-10-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14838 | 2020-10-13 | |
| https://access.redhat.com/security/cve/CVE-2019-14838 | 2020-06-15 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1751227 | 2020-06-15 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.5 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.5 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.5 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.3.0 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3.0" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.3.5 Search vendor "Redhat" for product "Single Sign-on" and version "7.3.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 6.0 Search vendor "Redhat" for product "Enterprise Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.3.5 Search vendor "Redhat" for product "Single Sign-on" and version "7.3.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 7.0 Search vendor "Redhat" for product "Enterprise Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.3.5 Search vendor "Redhat" for product "Single Sign-on" and version "7.3.5" | - |
Affected
| in | Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | alpha1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | alpha2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | alpha3 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | alpha4 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | alpha5 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | beta1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Wildfly Core Search vendor "Redhat" for product "Wildfly Core" | 7.0.0 Search vendor "Redhat" for product "Wildfly Core" and version "7.0.0" | cr1 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Data Grid Search vendor "Redhat" for product "Data Grid" | 7.3.4 Search vendor "Redhat" for product "Data Grid" and version "7.3.4" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Jboss Enterprise Application Platform Search vendor "Redhat" for product "Jboss Enterprise Application Platform" | 7.2.4 Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.2.4" | - |
Affected
| ||||||