It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.

The version of Red Hat JBoss Enterprise Application Platform (EAP) installed on the remote host is 7.x prior to 7.2.2. It is therefore, affected my multiple vulnerabilities as referenced in the RHSA-2019:1424 advisory:

  - picketlink: reflected XSS in SAMLRequest via RelayState parameter     (CVE-2019-3872)

  - picketlink: URL injection via xinclude parameter (CVE-2019-3873)

  - undertow: leak credentials to log files     UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1421 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss     Application Server 7.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.2 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.1, and includes bug fixes and enhancements. Refer to the Red Hat     JBoss Enterprise Application Platform 7.2.2 Release Notes for information on the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872)

    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)

    * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed     (CVE-2019-3888)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1420 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss     Application Server 7.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.2 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.1, and includes bug fixes and enhancements. Refer to the Red Hat     JBoss Enterprise Application Platform 7.2.2 Release Notes for information on the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872)

    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)

    * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed     (CVE-2019-3888)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1419 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on JBoss     Application Server 7.

    This release of Red Hat JBoss Enterprise Application Platform 7.2.2 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.2.1, and includes bug fixes and enhancements. Refer to the Red Hat     JBoss Enterprise Application Platform 7.2.2 Release Notes for information on the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * picketlink: reflected XSS in SAMLRequest via RelayState parameter (CVE-2019-3872)

    * picketlink: URL injection via xinclude parameter (CVE-2019-3873)

    * undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed     (CVE-2019-3888)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
132312	Red Hat JBoss Enterprise Application Platform 7.x < 7.2.2 Multiple Vulnerabilities	Nessus	CGI abuses	critical
125842	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.2 on RHEL 8 (RHSA-2019:1421)	Nessus	Red Hat Local Security Checks	critical
125841	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.2 on RHEL 7 (RHSA-2019:1420)	Nessus	Red Hat Local Security Checks	critical
125840	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.2.2 on RHEL 6 (RHSA-2019:1419)	Nessus	Red Hat Local Security Checks	critical

Detections

Analytics

CVE-2019-3872

medium

Tenable Plugins

critical

critical

critical

critical