CVE-2015-3158

描述

The `invokeNextValve` function in `identity/federation/bindings/tomcat/idp/AbstractIDPValve.java` in PicketLink before 2.7.1.Final does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.

如何修補 CVE-2015-3158

要修補 CVE-2015-3158,請將受影響套件升級到下列已修補版本。

• Maven/org.picketlink:picketlink-tomcat-common—升級至 2.7.1.Final 或更新版本

CVE-2015-3158 正在被利用嗎?

低 — EPSS 為 0.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.7.1.Final

參考連結(11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-3158
• PATCHgithub.com/picketlink/picketlink-bindings
• WEBrhn.redhat.com/errata/RHSA-2015-1669.html
• WEBrhn.redhat.com/errata/RHSA-2015-1670.html
• WEB