Описание
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.
It was found that when processing undefined security domains, the org.jboss.security.plugins.mapping.JBossMappingManager implementation would fall back to the default security domain if it was available. A user with valid credentials in the defined default domain, with a role that is valid in the expected application domain, could perform actions that were otherwise not available to them. When using the SAML2 STS Login Module, JBossMappingManager exposed this issue due to the PicketLink Trust SecurityActions implementation using a hardcoded default value when defining the context.
Отчет
Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4 and 5; Red Hat JBoss Enterprise Portal Platform 5; Red Hat JBoss Enterprise SOA Platform 4 and 5; and Red Hat JBoss Enterprise Web Platform 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | eap | Will not fix | ||
| Red Hat JBoss Data Grid 6 | eap | Affected | ||
| Red Hat JBoss Data Virtualization 6 | eap | Affected | ||
| Red Hat JBoss Enterprise Application Platform 4 | jbosssx | Will not fix | ||
| Red Hat JBoss Enterprise Application Platform 5 | jbosssx | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | epp-5 | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | others | Not affected | ||
| Red Hat JBoss Fuse Service Works 6 | eap | Affected | ||
| Red Hat JBoss Operations Network 3 | eap | Affected | ||
| Red Hat JBoss Portal 4 | jbosssx | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
3.5 Low
CVSS2
Связанные уязвимости
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.
The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.
EPSS
3.5 Low
CVSS2