[jboss-jira] [JBoss JIRA] (WFCORE-4956) EMBARGOED CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API [eap-7.3.z]

EMBARGOED CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API [eap-7.3.z] -------------------------------------------------------------------------------------------------------- Key: WFCORE-4956 URL: https://issues.redhat.com/browse/WFCORE-4956 Project: WildFly Core Issue Type: Bug Components: Embedded Reporter: Kunjan Rathod Assignee: James Perkins Priority: Minor Labels: CVE-2020-10718, Security, SecurityTracking, downstream_dependency, pscomponent:wildfly Fix For: 13.0.0.Beta5 Security Tracking Issue Do not make this issue public. Impact: Low Public Date: not set Resolve Bug By: 545 calendar days from the public date In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug. Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9RBqB NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS ISSUE. Flaw: ----- EMBARGOED CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess API https://bugzilla.redhat.com/show_bug.cgi?id=1828476 The embedded managed process API has two methods exposed as public methods which can bypass the security manager.