Skip to content

PicketLink does not properly check role based authorization

Moderate severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Jan 5, 2024

Package

maven org.picketlink:picketlink-tomcat-common (Maven)

Affected versions

< 2.7.1.Final

Patched versions

2.7.1.Final

Description

The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.7.1.Final does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

References

Published by the National Vulnerability Database Aug 26, 2015
Published to the GitHub Advisory Database May 17, 2022
Reviewed Jan 5, 2024
Last updated Jan 5, 2024

Severity

Moderate

EPSS score

0.232%
(62nd percentile)

Weaknesses

No CWEs

CVE ID

CVE-2015-3158

GHSA ID

GHSA-9qhq-j4xm-cw48

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.