[jboss-jira] [JBoss JIRA] (WFLY-8750) RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.
Hynek Švábek (JIRA)
issues at jboss.org
Mon Jul 3 03:15:01 EDT 2017
[ https://issues.jboss.org/browse/WFLY-8750?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hynek Švábek updated WFLY-8750:
-------------------------------
Security: (was: Security Issue)
> RBAC, Security subsystem contains attributes with capabilities which don't set access-constraint.
> -------------------------------------------------------------------------------------------------
>
> Key: WFLY-8750
> URL: https://issues.jboss.org/browse/WFLY-8750
> Project: WildFly
> Issue Type: Bug
> Components: Security
> Reporter: Hynek Švábek
> Assignee: Darran Lofthouse
> Priority: Blocker
>
> This is potentially security vulnerability therefore it is BLOCKER.
> Security subsystem contains attributes with capabilities which don't set access-constraint.
> All of them have Elytron compatibility capability and I expect there some access constraint too.
> *How to reproduce:*
> {code}
> /subsystem=security:read-resource-description(recursive=true)
> {code}
> There are some places where missing access constraints.
> elytron-key-store with *org.wildfly.security.key-store* capability.
> elytron-realm with *org.wildfly.security.security-realm* capability.
> elytron-trust-manager with *org.wildfly.security.trust-managers* capability.
> elytron-key-manager with *org.wildfly.security.key-managers* capability.
> elytron-trust-store with *org.wildfly.security.key-store* capability.
--
This message was sent by Atlassian JIRA
(v7.2.3#72005)
More information about the jboss-jira
mailing list