CVE-2015-3158

Опубликовано: 05 июн. 2015

Источник: redhat

CVSS2: 3.5

EPSS Низкий

Описание

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat BPM Suite 6	picketlink	Affected
Red Hat JBoss BRMS 6	picketlink	Affected
Red Hat JBoss Data Grid 6	picketlink	Affected
Red Hat JBoss Data Virtualization 6	picketlink	Affected
Red Hat JBoss Enterprise Application Platform 5	picketlink	Will not fix
Red Hat JBoss Fuse Service Works 6	picketlink	Affected
Red Hat JBoss Operations Network 3	picketlink	Affected
Red Hat JBoss Portal 6	picketlink	Affected
Red Hat JBoss SOA Platform 5	picketlink	Will not fix
Red Hat JBoss Enterprise Application Platform 6.4	picketlink	Fixed	RHSA-2015:1672	24.08.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

https://bugzilla.redhat.com/show_bug.cgi?id=1216123PicketLink: PicketLink IDP ignores role based authorization

EPSS

Процентиль: 63%

0.00447

Низкий

3.5 Low

CVSS2

Связанные уязвимости

CVE-2015-3158

nvd

больше 10 лет назад

GHSA-9qhq-j4xm-cw48

github

больше 3 лет назад