Bug 1216123 (CVE-2015-3158)
Summary: | CVE-2015-3158 PicketLink: PicketLink IDP ignores role based authorization | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, asantos, aszczucz, bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, dhorton, epp-bugs, etirelli, felias, fnasser, gvarsami, hfnukal, huwang, jason.greene, jawilson, jboss-set, jbpapp-maint, jcoleman, jdg-bugs, jolee, jpallich, jshepherd, kconner, ldimaggi, lgao, lpetrovi, mbaluch, mweiler, mwinkler, myarboro, nwallace, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, slong, soa-p-jira, spinder, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
A flaw was found in the PicketLink Identity Provider Configuration (IDP) where, under specific conditions, the IDP ignores role-based authorization. This could lead to an authenticated user being able to access application resources that are not permitted for a given role.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2016-10-18 19:27:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1233305, 1233306, 1233307, 1233308, 1233309, 1233310, 1233311, 1233312, 1233313, 1233314, 1233315, 1233316, 1233317, 1233318, 1233319, 1233320, 1233321, 1233322, 1233323, 1233324, 1233325, 1233326 | ||
Bug Blocks: | 1215682, 1255842 |
Description
Vasyl Kaigorodov
2015-04-28 14:19:53 UTC
upstream jira: PLINK-708 pull request: https://github.com/picketlink/picketlink-bindings/pull/124 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:1673 https://rhn.redhat.com/errata/RHSA-2015-1673.html This issue has been addressed in the following products: JBoss Enterprise Application Platform Via RHSA-2015:1672 https://rhn.redhat.com/errata/RHSA-2015-1672.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:1670 https://rhn.redhat.com/errata/RHSA-2015-1670.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:1669 https://rhn.redhat.com/errata/RHSA-2015-1669.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:1671 https://rhn.redhat.com/errata/RHSA-2015-1671.html This issue was addressed in JON 3.3.4 via rebase on EAP 6.4.3 This issue was addressed in JDG 7.0.0 via removal of the affected AbstractIDPValve class. |