CVE-2015-3158: PicketLink does not properly check role based authorization
(updated )
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.
References
- rhn.redhat.com/errata/RHSA-2015-1669.html
- rhn.redhat.com/errata/RHSA-2015-1670.html
- rhn.redhat.com/errata/RHSA-2015-1671.html
- rhn.redhat.com/errata/RHSA-2015-1672.html
- rhn.redhat.com/errata/RHSA-2015-1673.html
- bugzilla.redhat.com/show_bug.cgi?id=1216123
- github.com/advisories/GHSA-9qhq-j4xm-cw48
- github.com/picketlink/picketlink-bindings/commit/ae6ff4adfc562880e714a089983054b47610ecec
- github.com/picketlink/picketlink-bindings/pull/124
- issues.jboss.org/browse/PLINK-708
- nvd.nist.gov/vuln/detail/CVE-2015-3158
Code Behaviors & Features
Detect and mitigate CVE-2015-3158 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →