CVE-2025-23367: 
Java vulnerability analysis and mitigation

A vulnerability was discovered in the Wildfly Server Role Based Access Control (RBAC) provider (CVE-2025-23367), disclosed on January 30, 2025. The flaw affects the authorization control mechanism in Wildfly Server, specifically impacting standalone servers with RBAC provider enabled. When authorization to control management operations is secured using the Role Based Access Control provider, users with Monitor or Auditor roles, who should only have read access permissions, can improperly suspend or resume the server (Red Hat CVE, NVD).

The vulnerability stems from the Suspend and Resume handlers not performing authorization checks to validate whether the current user has the required permissions to proceed with the action. The issue has been assigned a CVSS v3.1 base score of 6.5 (Moderate), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. The vulnerability is classified under CWE-284 (Improper Access Control) (Red Hat CVE).

When exploited, this vulnerability allows unauthorized users to suspend or resume the server. When a server is suspended, it stops receiving user requests, and when resumed, it starts accepting user requests again. The vulnerability specifically affects standalone servers with RBAC access control enabled, while domain mode is not affected (GitHub Advisory).

Currently, there is no workaround available for this vulnerability. The issue has been fixed in WildFly Core version 27.0.1.Final and 28.0.0.Beta2 (GitHub Advisory).

The WildFly project acknowledged the contribution of Claudia Bartolini, Marco Ventura, and Massimiliano Brolli from TIM S.p.A for reporting this security issue (GitHub Advisory).