// For flags

CVE-2021-3717

wildfly: incorrect JBOSS_LOCAL_USER challenge location may lead to giving access to all the local users

Severity Score

7.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability. This flaw affects wildfly-core versions prior to 17.0.

Se ha encontrado un fallo en Wildfly. Una ubicación incorrecta del desafío JBOSS_LOCAL_USER cuando es usada la configuración elytron puede conllevar el acceso de JBOSS_LOCAL_USER a todos los usuarios de la máquina. La mayor amenaza de esta vulnerabilidad es para la confidencialidad, integridad y disponibilidad. Este fallo afecta a wildfly-core versiones anteriores a 17.0

A flaw was found in Wildfly. An incorrect JBOSS_LOCAL_USER challenge location when using the elytron configuration may lead to JBOSS_LOCAL_USER access to all users on the machine. The highest threat from this vulnerability is to confidentiality, integrity, and availability.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-08-18 CVE Reserved
  • 2021-11-16 CVE Published
  • 2023-12-15 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-552: Files or Directories Accessible to External Parties
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.4"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.3
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.3
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
7.3
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.3"
-
Affected
in Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
8.0
Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"
-
Safe
Redhat
Search vendor "Redhat"
Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
-text-only
Affected
Redhat
Search vendor "Redhat"
Single Sign-on
Search vendor "Redhat" for product "Single Sign-on"
-text-only
Affected
Redhat
Search vendor "Redhat"
Wildfly Core
Search vendor "Redhat" for product "Wildfly Core"
< 17.0
Search vendor "Redhat" for product "Wildfly Core" and version " < 17.0"
-
Affected