Platform
java
Component
org.wildfly:wildfly-parent
Fixed in
23.0.3
23.0.2.Final
CVE-2021-3536 describes a Cross-Site Scripting (XSS) vulnerability discovered in WildFly. This flaw allows attackers to inject malicious scripts when creating new roles within the domain mode of the admin console. The vulnerability affects versions of WildFly up to and including 9.0.2.Final, and a fix is available in version 23.0.2.Final.
Successful exploitation of CVE-2021-3536 allows an attacker to inject arbitrary JavaScript code into the WildFly admin console. This code could then be executed in the context of a user accessing the console, potentially leading to session hijacking, unauthorized access to sensitive data, or defacement of the administrative interface. The impact is primarily focused on the confidentiality and integrity of the WildFly environment, as an attacker could steal credentials or modify configurations. While the CVSS score is LOW, the potential for privilege escalation within the administrative domain makes this a concerning vulnerability.
CVE-2021-3536 was publicly disclosed on May 25, 2021. No public proof-of-concept (POC) code has been widely reported, and there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.28% (52% percentile)
CVSS Vector
The primary mitigation for CVE-2021-3536 is to upgrade WildFly to version 23.0.2.Final or later, which includes the fix for this vulnerability. If immediate upgrade is not possible, consider restricting access to the admin console to trusted users only. Implement strict input validation on the role name field to prevent the injection of malicious payloads. While a WAF might offer some protection, it is not a substitute for patching. Regularly review WildFly logs for any suspicious activity related to role creation or modification.
Actualice Wildfly a la versión 23.0.2.Final o superior. Esta actualización corrige una vulnerabilidad XSS en la consola de administración al crear roles en modo dominio.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-3536 is an XSS vulnerability in WildFly versions up to 9.0.2.Final. It allows attackers to inject malicious scripts when creating roles via the admin console, potentially compromising confidentiality and integrity.
You are affected if you are running WildFly versions 9.0.2.Final or earlier. Upgrade to 23.0.2.Final or later to mitigate the risk.
Upgrade WildFly to version 23.0.2.Final or later. If immediate upgrade isn't possible, restrict admin console access and validate role name inputs.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-3536, but proactive patching is still recommended.
Refer to the official Red Hat security advisory for CVE-2021-3536: https://access.redhat.com/security/cve/CVE-2021-3536
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.