{"id":"CVE-2022-0866","details":"This is a concurrency issue that can result in the wrong caller principal being returned from the session context of an EJB that is configured with a RunAs principal. In particular, the org.jboss.as.ejb3.component.EJBComponent class has an incomingRunAsIdentity field. This field is used by the org.jboss.as.ejb3.security.RunAsPrincipalInterceptor to keep track of the current identity prior to switching to a new identity created using the RunAs principal. The exploit consist that the EJBComponent#incomingRunAsIdentity field is currently just a SecurityIdentity. This means in a concurrent environment, where multiple users are repeatedly invoking an EJB that is configured with a RunAs principal, it's possible for the wrong the caller principal to be returned from EJBComponent#getCallerPrincipal. Similarly, it's also possible for EJBComponent#isCallerInRole to return the wrong value. Both of these methods rely on incomingRunAsIdentity. Affects all versions of JBoss EAP from 7.1.0 and all versions of WildFly 11+ when Elytron is enabled.","aliases":["BIT-wildfly-2022-0866"],"modified":"2025-11-14T12:44:47.540626Z","published":"2022-05-10T21:15:08.817Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2060929#c0"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wildfly/wildfly","events":[{"introduced":"4fd7bffaf2ee73201910684f2674aa1bced7fe81"},{"fixed":"3d03e9c2a39cc5850d363600e91f03c2ce35e219"}]}],"versions":["11.0.0.Final","12.0.0.Beta1","12.0.0.CR1","12.0.0.Final","13.0.0.Beta1","13.0.0.Final","14.0.0.Beta1","14.0.0.Beta2","14.0.0.Final","15.0.0.Beta1","15.0.0.Final","16.0.0.Beta1","16.0.0.Final","17.0.0.Alpha1","17.0.0.Beta1","17.0.0.Final","18.0.0.Beta1","18.0.0.Final","19.0.0.Beta1","19.0.0.Beta2","20.0.0.Beta1","20.0.0.Final","21.0.0.Beta1","21.0.0.Final","22.0.0.Alpha1","22.0.0.Beta1","22.0.0.Final","23.0.0.Beta1","23.0.0.Final","24.0.0.Beta1","25.0.0.Beta1","25.0.0.Final","26.0.0.Beta1","26.0.0.Final","26.0.1.Final","26.1.0.Beta1","26.1.0.Final"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-0866.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}