Description

It was discovered that the ElytronManagedThread in Wildfly's Elytron subsystem in versions from 11 to 16 stores a SecurityIdentity to run the thread as. These threads do not necessarily terminate if the keep alive time has not expired. This could allow a shared thread to use the wrong security identity when executing.

Remediation

References

CVE-2019-3894

Related Vulnerabilities

WordPress Plugin Elementor Addon Elements Cross-Site Request Forgery (1.11.7)

WordPress Plugin Windsor Strava Athlete Unspecified Vulnerability (1.3.5)

WordPress Plugin WooCommerce HTML Injection (6.5.1)

Apache HTTP Server Other Vulnerability (CVE-2005-1344)

WordPress Plugin FavIcon Switcher Cross-Site Request Forgery (1.2.11)

Severity

High

Classification

CVE-2019-3894 CWE-264 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities