{
  "threat_severity" : "Important",
  "public_date" : "2025-03-03T00:00:00Z",
  "bugzilla" : {
    "description" : "org.wildfly.core:wildfly-elytron-integration: Wildfly Elytron Brute Force Attack via CLI",
    "id" : "2337621",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2337621"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-307",
  "details" : [ "A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.", "A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI." ],
  "statement" : "According to WildFly Elytron, this affects all versions of JBoss EAP from version 7.1.\nRed Hat build of Keycloak does not ship wildfly-elytron.",
  "acknowledgement" : "Red Hat would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18059",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "wildfly-elytron-integration"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 8",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18054",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el8",
    "package" : "eap8-wildfly-0:8.1.6-5.GA_redhat_00007.1.el8eap"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8.1 for RHEL 9",
    "release_date" : "2026-05-18T00:00:00Z",
    "advisory" : "RHSA-2026:18055",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8.1::el9",
    "package" : "eap8-wildfly-0:8.1.6-5.GA_redhat_00007.1.el9eap"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Data Grid 8",
    "fix_state" : "Affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:8"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Will not fix",
    "package_name" : "wildfly-elytron-integration",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 7",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 7",
    "fix_state" : "Will not fix",
    "package_name" : "wildfly-elytron-integration",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "wildfly-elytron-integration",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "fix_state" : "Affected",
    "package_name" : "wildfly-elytron-integration",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "org.wildfly.security/wildfly-elytron",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Will not fix",
    "package_name" : "wildfly-elytron-integration",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-23368\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-23368\nhttps://www.gruppotim.it/it/footer/red-team.html" ],
  "name" : "CVE-2025-23368",
  "mitigation" : {
    "value" : "The effectiveness of an attack will also be dependent on the complexity of the usernames and passwords defined for the target installation.",
    "lang" : "en:us"
  },
  "csaw" : false
}