{"api_version":"1","generated_at":"2026-04-22T20:52:17+00:00","cve":"CVE-2021-3644","urls":{"html":"https://cve.report/CVE-2021-3644","api":"https://cve.report/api/cve/CVE-2021-3644.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3644","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3644"},"summary":{"title":"CVE-2021-3644","description":"A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-08-26 16:15:00","updated_at":"2022-08-31 20:02:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://issues.redhat.com/browse/WFCORE-5511","name":"https://issues.redhat.com/browse/WFCORE-5511","refsource":"MISC","tags":[],"title":"[WFCORE-5511] CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression - Red Hat Issue Tracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714","name":"https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714","refsource":"MISC","tags":[],"title":"Merge pull request #4669 from darranl/WFCORE-5511/16.x · wildfly/wildfly-core@06dd988 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b","name":"https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b","refsource":"MISC","tags":[],"title":"Merge pull request #4668 from darranl/WFCORE-5511/main · wildfly/wildfly-core@6d8db43 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/wildfly/wildfly-core/pull/4668","name":"https://github.com/wildfly/wildfly-core/pull/4668","refsource":"MISC","tags":[],"title":"[WFCORE-5511] wildfly-core: Invalid Sensitivity Classification of Vault Expression by darranl · Pull Request #4668 · wildfly/wildfly-core · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/security/cve/CVE-2021-3644","name":"https://access.redhat.com/security/cve/CVE-2021-3644","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1976052","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1976052","refsource":"MISC","tags":[],"title":"1976052 – (CVE-2021-3644) CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3644","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3644","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3644","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"descision_manager","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3644","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"wildfly","cpe6":"16.0.0","cpe7":"-","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3644","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"wildfly","cpe6":"17.0.0","cpe7":"beta2","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3644","qid":"239608","title":"Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.9 (RHSA-2021:3468)"},{"cve":"CVE-2021-3644","qid":"239609","title":"Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.9 (RHSA-2021:3467)"},{"cve":"CVE-2021-3644","qid":"239610","title":"Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.3.9 (RHSA-2021:3466)"},{"cve":"CVE-2021-3644","qid":"239652","title":"Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.4.1 (RHSA-2021:3658)"},{"cve":"CVE-2021-3644","qid":"239653","title":"Red Hat Update for Red Hat JBoss Enterprise Application Platform 7.4.1 (RHSA-2021:3656)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-3644","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in wildfly-core in all versions. If a vault expression is in the form of a single attribute that contains multiple expressions, a user who was granted access to the management interface can potentially access a vault expression they should not be able to access and possibly retrieve the item which was stored in the vault. The highest threat from this vulnerability is data confidentiality and integrity."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor","cweId":"CWE-200"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"wildfly-core","version":{"version_data":[{"version_affected":"=","version_value":"Fixed in 16.0.1.Final, 17.0.0.Final and later."}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1976052","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1976052"},{"url":"https://access.redhat.com/security/cve/CVE-2021-3644","refsource":"MISC","name":"https://access.redhat.com/security/cve/CVE-2021-3644"},{"url":"https://issues.redhat.com/browse/WFCORE-5511","refsource":"MISC","name":"https://issues.redhat.com/browse/WFCORE-5511"},{"url":"https://github.com/wildfly/wildfly-core/pull/4668","refsource":"MISC","name":"https://github.com/wildfly/wildfly-core/pull/4668"},{"url":"https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b","refsource":"MISC","name":"https://github.com/wildfly/wildfly-core/commit/6d8db43cd43b5994b7a14003db978064e086090b"},{"url":"https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714","refsource":"MISC","name":"https://github.com/wildfly/wildfly-core/commit/06dd9884f6ba50470b1fb5a35198a8784f037714"}]}},"nvd":{"publishedDate":"2022-08-26 16:15:00","lastModifiedDate":"2022-08-31 20:02:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW"},"exploitabilityScore":0.7,"impactScore":2.5}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:descision_manager:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:wildfly:16.0.0:-:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:wildfly:17.0.0:beta2:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3644","Ordinal":"212291","Title":"CVE-2021-3644","CVE":"CVE-2021-3644","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3644","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}