Vulnerability Details CVE-2019-3894
It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.012
EPSS Ranking 78.2%
CVSS Severity
CVSS v3 Score 5.4
CVSS v2 Score 6.5
References
- https://access.redhat.com/errata/RHSA-2019:1106
- https://access.redhat.com/errata/RHSA-2019:1107
- https://access.redhat.com/errata/RHSA-2019:1108
- https://access.redhat.com/errata/RHSA-2019:1140
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894
- https://security.netapp.com/advisory/ntap-20190517-0004/
- https://access.redhat.com/errata/RHSA-2019:1106
- https://access.redhat.com/errata/RHSA-2019:1107
- https://access.redhat.com/errata/RHSA-2019:1108
- https://access.redhat.com/errata/RHSA-2019:1140
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3894
- https://security.netapp.com/advisory/ntap-20190517-0004/
Products affected by CVE-2019-3894
-
cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0.0
-
cpe:2.3:a:redhat:wildfly:11.0.0
-
cpe:2.3:a:redhat:wildfly:12.0.0
-
cpe:2.3:a:redhat:wildfly:13.0.0
-
cpe:2.3:a:redhat:wildfly:14.0.0
-
cpe:2.3:a:redhat:wildfly:14.0.1
-
cpe:2.3:a:redhat:wildfly:15.0.0
-
cpe:2.3:a:redhat:wildfly:15.0.1
-
cpe:2.3:a:redhat:wildfly:16.0.0