]
Hynek Švábek updated WFLY-8750:
-------------------------------
Security: (was: Security Issue)
RBAC, Security subsystem contains attributes with capabilities which
don't set access-constraint.
-------------------------------------------------------------------------------------------------
Key: WFLY-8750
URL:
https://issues.jboss.org/browse/WFLY-8750
Project: WildFly
Issue Type: Bug
Components: Security
Reporter: Hynek Švábek
Assignee: Darran Lofthouse
Priority: Blocker
This is potentially security vulnerability therefore it is BLOCKER.
Security subsystem contains attributes with capabilities which don't set
access-constraint.
All of them have Elytron compatibility capability and I expect there some access
constraint too.
*How to reproduce:*
{code}
/subsystem=security:read-resource-description(recursive=true)
{code}
There are some places where missing access constraints.
elytron-key-store with *org.wildfly.security.key-store* capability.
elytron-realm with *org.wildfly.security.security-realm* capability.
elytron-trust-manager with *org.wildfly.security.trust-managers* capability.
elytron-key-manager with *org.wildfly.security.key-managers* capability.
elytron-trust-store with *org.wildfly.security.key-store* capability.