Authentication Bypass Affecting org.picketlink:picketlink-federation package, versions [2,2.5.3.SP13][2.6,2.6.1][2.7-alpha,2.7.1.Beta2]


Severity

Recommended
0.0
low
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.34% (72nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGPICKETLINK-30148
  • published25 Dec 2016
  • disclosed13 Feb 2015
  • creditOndra Lukas

Introduced: 13 Feb 2015

CVE-2014-7827  (opens in a new tab)
CWE-264  (opens in a new tab)

Overview

org.picketlink:picketlink-federation The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

References

CVSS Scores

version 3.1