CVE-2020-1719: Privilege Context Switching Error in wildlfy
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.32301%
CWE
Published
6/8/2021
Updated
2/1/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.wildfly.bom:wildfly | maven | <= 19.1.0.Final | 20.0.0.Final |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability centers on improper security context restoration after cross-domain EJB calls. Wildfly's security architecture uses SecurityContextInterceptor
to manage context switching. The missing context restoration in the 'aroundInvoke' method (specifically in the finally block that should reset the SecurityContextAssociation
) directly matches the described vulnerability pattern. This is the core function
responsible for pushing/popping security contexts during EJB method invocations.