[WFCORE-6544] CVE-2023-4061 Management RBAC permission allows unexpected reading of system-properties via resolve-expression #5703

bstansberry · 2023-10-05T23:36:56Z

…dler before resolving

bstansberry · 2023-10-05T23:37:12Z

@darranl Please review

yersan · 2023-10-06T09:44:49Z

.../rbac/src/test/java/org/jboss/as/test/integration/mgmt/access/ResolveExpressionTestCase.java

@@ -0,0 +1,109 @@
+package org.jboss.as.test.integration.mgmt.access;


We should add a license header later, it is not a hard requirement.

bstansberry · 2023-10-06T13:19:41Z

Thanks @yersan. Right before merging I added a commit to add the license header.

darranl

Great

bstansberry added 2 commits October 5, 2023 18:04

[WFCORE-6544] Treat system property reads as sensitive by default

b31c42a

[WFCORE-6544] Add an RBAC authorization check to ResolveExpressionHan…

3a83281

…dler before resolving

bstansberry added Blocker 22.x labels Oct 5, 2023

github-actions bot added the deps-ok Dependencies have been checked, and there are no significant changes label Oct 5, 2023

yersan requested a review from darranl October 6, 2023 09:36

yersan approved these changes Oct 6, 2023

View reviewed changes

Add a copyright/license header to ResolveExpressionTestCase.java

8abbe9f

bstansberry merged commit 25728f3 into wildfly:main Oct 6, 2023
1 check passed

bstansberry deleted the WFCORE-6544 branch October 6, 2023 13:19

darranl reviewed Oct 6, 2023

View reviewed changes

Provide feedback

		@@ -0,0 +1,109 @@
		package org.jboss.as.test.integration.mgmt.access;