CVE-2021-3644

wildfly-core: Invalid Sensitivity Classification of Vault Expression

Severity Score

3.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.

Se ha encontrado un fallo en wildfly-core en todas las versiones. Si una expresión de bóveda está en la forma de un solo atributo que contiene múltiples expresiones, un usuario al que le ha sido concedido acceso a la interfaz de administración puede potencialmente acceder a una expresión de bóveda a la que no debería poder acceder y posiblemente recuperar el elemento que estaba almacenado en la bóveda. La mayor amenaza de esta vulnerabilidad es la confidencialidad e integridad de los datos.

Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This release of Red Hat JBoss Enterprise Application Platform 7.4.1 serves as a replacement for Red Hat JBoss Enterprise Application Platform 7.4.0 and includes bug fixes and enhancements. See the Red Hat JBoss Enterprise Application Platform 7.4.1 Release Notes for information about the most significant bug fixes and enhancements included in this release. Issues addressed include code execution, cross site scripting, denial of service, and traversal vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Multiple

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-07-14 CVE Reserved
2021-09-08 CVE Published
2024-08-03 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714	2022-08-31
https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b	2022-08-31
https://github.com/wildfly/wildfly-core/pull/4668	2022-08-31
https://issues.redhat.com/browse/WFCORE-5511	2022-08-31

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-3644	2022-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=1976052	2022-08-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redhat Search vendor "Redhat"		Descision Manager Search vendor "Redhat" for product "Descision Manager"				7.0 Search vendor "Redhat" for product "Descision Manager" and version "7.0"		-		Affected
Redhat Search vendor "Redhat"		Wildfly Search vendor "Redhat" for product "Wildfly"				16.0.0 Search vendor "Redhat" for product "Wildfly" and version "16.0.0"		-		Affected
Redhat Search vendor "Redhat"		Wildfly Search vendor "Redhat" for product "Wildfly"				17.0.0 Search vendor "Redhat" for product "Wildfly" and version "17.0.0"		beta2		Affected