CVE-2015-3158

medium

Description

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

References

https://issues.jboss.org/browse/PLINK-708

https://github.com/picketlink/picketlink-bindings/pull/124

https://bugzilla.redhat.com/show_bug.cgi?id=1216123

http://rhn.redhat.com/errata/RHSA-2015-1673.html

http://rhn.redhat.com/errata/RHSA-2015-1672.html

http://rhn.redhat.com/errata/RHSA-2015-1671.html

http://rhn.redhat.com/errata/RHSA-2015-1670.html

http://rhn.redhat.com/errata/RHSA-2015-1669.html

Details

Source: Mitre, NVD

Published: 2015-08-26

Updated: 2015-08-27

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Severity: Medium