Miggo Logo
Miggo Vulnerability Database
CVE-2021-3717

CVE-2021-3717: Wildfly-Core user account mismanagement

7.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-3717
GHSA ID
GHSA-p9xf-3rm3-qh2h
EPSS Score
0.06387%
CWE
CWE-552
Published
5/25/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.wildfly.core:wildfly-core-parentmaven< 17.017.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper file location handling for JBOSS_LOCAL_USER challenges. Based on CWE-552 and the description of 'incorrect challenge location', the analysis focuses on Elytron components managing local authentication. The LocalUserRepository and JBossLocalUserServerAuthenticationMechanism classes are core to this functionality. The medium confidence reflects inference from vulnerability patterns rather than direct patch analysis. Functions handling challenge file creation/path resolution would be critical vectors, as the flaw allowed global rather than user-specific file access.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in Wil**ly. *n in*orr**t J*OSS_LO**L_US*R ***ll*n** lo**tion w**n usin* t** *lytron *on*i*ur*tion m*y l*** to J*OSS_LO**L_US*R ****ss to *ll us*rs on t** m***in*. T** *i***st t*r**t *rom t*is vuln*r**ility is to *on*i**nti*lity, int*

Reasoning

T** vuln*r**ility st*ms *rom improp*r *il* lo**tion **n*lin* *or J*OSS_LO**L_US*R ***ll*n**s. **s** on *W*-*** *n* t** **s*ription o* 'in*orr**t ***ll*n** lo**tion', t** *n*lysis *o*us*s on *lytron *ompon*nts m*n**in* lo**l *ut**nti**tion. T** Lo**lU