Back to search
CVE-2015-3158
Published: Aug 26, 2015
Modified: Aug 6, 2024
PUBLISHED
Description
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
RHSA-2015:1671
vendor-advisory
x_refsource_REDHAT
RHSA-2015:1672
vendor-advisory
x_refsource_REDHAT
RHSA-2015:1673
vendor-advisory
x_refsource_REDHAT
RHSA-2015:1670
vendor-advisory
x_refsource_REDHAT
https://github.com/picketlink/picketlink-bindings/pull/124
x_refsource_CONFIRM
https://issues.jboss.org/browse/PLINK-708
x_refsource_CONFIRM
RHSA-2015:1669
vendor-advisory
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=1216123
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now