CVE-2025-23367

6.5 MEDIUM
Published: January 30, 2025 Modified: December 06, 2025
View on NVD

Description

A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:3467
Source: secalert@redhat.com
Issue Tracking
https://access.redhat.com/errata/RHSA-2025:3989
Source: secalert@redhat.com
Issue Tracking
https://access.redhat.com/errata/RHSA-2025:3990
Source: secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:3992
Source: secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-23367
Source: secalert@redhat.com
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2337620
Source: secalert@redhat.com
Vendor Advisory
https://github.com/advisories/GHSA-qr6x-62gq-4ccp
Source: secalert@redhat.com
Third Party Advisory

7 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.5 / 10.0
EPSS (Exploit Probability)
0.2%
41th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-284

Affected Vendors

redhat

Related CVEs

CVE-2025-69261 N/A
CVE-2025-69257 6.7
CVE-2025-69210 N/A
CVE-2025-66823 N/A
CVE-2025-50343 N/A