Details
-
Bug
-
Resolution: Done
-
Blocker
-
None
-
None
Description
This is potentially security vulnerability therefore it is BLOCKER.
Security subsystem contains attributes with capabilities which don't set access-constraint.
All of them have Elytron compatibility capability and I expect there some access constraint too.
How to reproduce:
/subsystem=security:read-resource-description(recursive=true)
There are some places where missing access constraints.
elytron-key-store with org.wildfly.security.key-store capability.
elytron-realm with org.wildfly.security.security-realm capability.
elytron-trust-manager with org.wildfly.security.trust-managers capability.
elytron-key-manager with org.wildfly.security.key-managers capability.
elytron-trust-store with org.wildfly.security.key-store capability.