CVE-2015-3158

Description

The `invokeNextValve` function in `identity/federation/bindings/tomcat/idp/AbstractIDPValve.java` in PicketLink before 2.7.1.Final does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

How to fix CVE-2015-3158

To remediate CVE-2015-3158, upgrade the affected package to a fixed version below.

• Maven/org.picketlink:picketlink-tomcat-common—upgrade to 2.7.1.Final or later

Is CVE-2015-3158 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.7.1.Final

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3158
• PATCHgithub.com/picketlink/picketlink-bindings
• WEBrhn.redhat.com/errata/RHSA-2015-1669.html
• WEBrhn.redhat.com/errata/RHSA-2015-1670.html
• WEB