23.0.3
23.0.2.Final
CVE-2021-3536 describes a Cross-Site Scripting (XSS) vulnerability discovered in WildFly. This flaw allows attackers to inject malicious scripts when creating new roles within the domain mode of the admin console. The vulnerability affects versions of WildFly up to and including 9.0.2.Final, and a fix is available in version 23.0.2.Final.
Successful exploitation of CVE-2021-3536 allows an attacker to inject arbitrary JavaScript code into the WildFly admin console. This code could then be executed in the context of a user accessing the console, potentially leading to session hijacking, unauthorized access to sensitive data, or defacement of the administrative interface. The impact is primarily focused on the confidentiality and integrity of the WildFly environment, as an attacker could steal credentials or modify configurations. While the CVSS score is LOW, the potential for privilege escalation within the administrative domain makes this a concerning vulnerability.
CVE-2021-3536 was publicly disclosed on May 25, 2021. No public proof-of-concept (POC) code has been widely reported, and there is no indication of active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but the potential impact warrants prompt remediation.
Organizations running WildFly in domain mode, particularly those with publicly accessible admin consoles, are at risk. Legacy deployments using older WildFly versions (≤9.0.2.Final) are especially vulnerable. Shared hosting environments where multiple users have access to the WildFly admin console also face increased risk.
• java / server:
# Check WildFly version
/opt/wildfly/bin/wildfly.sh status• java / server:
# Review WildFly logs for suspicious role creation attempts
grep -i 'role name' /opt/wildfly/standalone/log/server.logdisclosure
漏洞利用状态
EPSS
0.28% (52% 百分位)
CVSS 向量
The primary mitigation for CVE-2021-3536 is to upgrade WildFly to version 23.0.2.Final or later, which includes the fix for this vulnerability. If immediate upgrade is not possible, consider restricting access to the admin console to trusted users only. Implement strict input validation on the role name field to prevent the injection of malicious payloads. While a WAF might offer some protection, it is not a substitute for patching. Regularly review WildFly logs for any suspicious activity related to role creation or modification.
将 Wildfly 更新到 23.0.2.Final 或更高版本。此更新修复了在域模式下创建角色时,管理控制台中的 XSS 漏洞。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2021-3536 is an XSS vulnerability in WildFly versions up to 9.0.2.Final. It allows attackers to inject malicious scripts when creating roles via the admin console, potentially compromising confidentiality and integrity.
You are affected if you are running WildFly versions 9.0.2.Final or earlier. Upgrade to 23.0.2.Final or later to mitigate the risk.
Upgrade WildFly to version 23.0.2.Final or later. If immediate upgrade isn't possible, restrict admin console access and validate role name inputs.
There is currently no evidence of active exploitation campaigns targeting CVE-2021-3536, but proactive patching is still recommended.
Refer to the official Red Hat security advisory for CVE-2021-3536: https://access.redhat.com/security/cve/CVE-2021-3536
上传你的 pom.xml 文件,立即知道是否受影响。