3.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3644

GHSA ID

GHSA-w88m-2936-rmxr

EPSS Score

0.3934%

CWE

Published

8/27/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3644

CVE-2021-3644: wildfly-core allows user with access to management interface to access vault expression, retrieve item from vault

A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.

(GitHub Advisory)

3.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3644

GHSA ID

GHSA-w88m-2936-rmxr

EPSS Score

0.3934%

CWE

Published

8/27/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.wildfly.core:wildfly-server	maven	< 16.0.1.Final	16.0.1.Final
org.wildfly.core:wildfly-server	maven	>= 17.0.0.Beta2, < 17.0.0.Beta3	17.0.0.Beta3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper sensitivity classification of vault expressions in multi-expression attributes. The commit diff shows the patched version replaced the original two-step check (ExpressionResolver.EXPRESSION_PATTERN followed by VaultReader.STANDARD_VAULT_PATTERN) with a single comprehensive regex (VAULT_EXPRESSION_PATTERN) that scans the entire attribute value. The test case added in VaultExpressionSensitivityTestCase.java demonstrates how an attacker could previously inject a vault expression alongside other content. The isSensitiveValue function's pre-patch logic failed to detect vault expressions when they weren't the sole expression in the attribute, making it the clear vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in wil**ly-*or* in *ll v*rsions. I* * v*ult *xpr*ssion is in t** *orm o* * sin*l* *ttri*ut* t**t *ont*ins multipl* *xpr*ssions, * us*r w*o w*s *r*nt** ****ss to t** m*n***m*nt int*r**** **n pot*nti*lly ****ss * v*ult *xpr*ssion t**y

Reasoning

T** vuln*r**ility st*ms *rom improp*r s*nsitivity *l*ssi*i**tion o* v*ult *xpr*ssions in multi-*xpr*ssion *ttri*ut*s. T** *ommit *i** s*ows t** p*t**** v*rsion r*pl**** t** ori*in*l two-st*p ****k (*xpr*ssionR*solv*r.*XPR*SSION_P*TT*RN *ollow** *y V*

3.3

Basic Information

Concerned about an active attack path?

CVE-2021-3644: wildfly-core allows user with access to management interface to access vault expression, retrieve item from vault

3.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI