{"id":"CVE-2022-0866","details":"This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.","aliases":["BIT-wildfly-2022-0866"],"modified":"2026-04-10T04:42:29.325139Z","published":"2022-05-10T21:15:08.817Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wildfly/wildfly","events":[{"introduced":"0"},{"last_affected":"8116c89f7cb4e200e9db45a247e8a8aff7f6177a"},{"introduced":"4fd7bffaf2ee73201910684f2674aa1bced7fe81"},{"fixed":"3d03e9c2a39cc5850d363600e91f03c2ce35e219"},{"introduced":"0"},{"last_affected":"59d100a081868309d0ebb164351e6b159aeee0cb"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"13.0"},{"introduced":"11.0.0"},{"fixed":"26.1.1"},{"introduced":"0"},{"last_affected":"27.0.0-alpha1"}]}}],"versions":["11.0.0.Final","12.0.0.Beta1","12.0.0.CR1","12.0.0.Final","13.0.0.Beta1","13.0.0.Final","14.0.0.Beta1","14.0.0.Beta2","14.0.0.Final","15.0.0.Beta1","15.0.0.Final","16.0.0.Beta1","16.0.0.Final","17.0.0.Alpha1","17.0.0.Beta1","17.0.0.Final","18.0.0.Beta1","18.0.0.Final","19.0.0.Beta1","19.0.0.Beta2","20.0.0.Beta1","20.0.0.Final","21.0.0.Beta1","21.0.0.Final","22.0.0.Alpha1","22.0.0.Beta1","22.0.0.Final","23.0.0.Beta1","23.0.0.Final","24.0.0.Beta1","25.0.0.Beta1","25.0.0.Final","26.0.0.Beta1","26.0.0.Final","26.0.1.Final","26.1.0.Beta1","26.1.0.Final","27.0.0.Alpha1"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"7.1.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-0866.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}