]
Jeff Mesnil updated WFCORE-4956:
--------------------------------
Fix Version/s: (was: 13.0.0.Final)
EMBARGOED CVE-2020-10718 wildfly: exposed setting of TCCL via the
EmbeddedManagedProcess API [eap-7.3.z]
--------------------------------------------------------------------------------------------------------
Key: WFCORE-4956
URL:
https://issues.redhat.com/browse/WFCORE-4956
Project: WildFly Core
Issue Type: Bug
Components: Embedded
Reporter: Kunjan Rathod
Assignee: James Perkins
Priority: Minor
Labels: CVE-2020-10718, Security, SecurityTracking, downstream_dependency,
pscomponent:wildfly
Fix For: 13.0.0.Beta5
Security Tracking Issue
Do not make this issue public.
Impact: Low
Public Date: not set
Resolve Bug By: 545 calendar days from the public date
In case the dates above are already past, please evaluate this bug in your next
prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX
if you decide not to fix this bug.
Please see the Security Errata Policy for further details:
https://docs.engineering.redhat.com/x/9RBqB
NOTE THIS ISSUE IS CURRENTLY EMBARGOED, DO NOT MAKE PUBLIC COMMITS OR COMMENTS ABOUT THIS
ISSUE.
Flaw:
-----
EMBARGOED CVE-2020-10718 wildfly: exposed setting of TCCL via the EmbeddedManagedProcess
API
https://bugzilla.redhat.com/show_bug.cgi?id=1828476
The embedded managed process API has two methods exposed as public methods which can
bypass the security manager.