166 matches found
picketlink: reflected XSS in SAMLRequest via RelayState parameter
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks...
picketlink: URL injection via xinclude parameter
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...
picketlink: reflected XSS in SAMLRequest via RelayState parameter
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks...
picketlink: URL injection via xinclude parameter
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...
picketlink: reflected XSS in SAMLRequest via RelayState parameter
It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks...
picketlink: URL injection via xinclude parameter
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks...
Moderate: Red Hat Security Advisory: Red Hat JBoss Web Server 5.0 Service Pack 2 security and bug fix update
An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity ratin...
Moderate: Red Hat Security Advisory: Red Hat JBoss Web Server 5.0 Service Pack 2 security and bug fix update
An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity ratin...
RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.2.0 (RHSA-2019:0137)
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:0137 advisory. This enhancement adds the new Red Hat JBoss Enterprise Application Platform 7.2.0 packages to Red Hat Enterprise Linux 7. This release serves as a...
The vulnerability in the StaxParserUtil class of Picketlink software for managing security and application identification in Java applications allows a perpetrator to disclose protected information.
The vulnerability of the StaxParserUtil class in Picketlink software for managing security and application identification in Java applications is related to deficiencies in the processing of input data during SAML message analysis. Exploiting this vulnerability allows a malicious actor to disclos...
Moderate: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 7.2.0 security update
Updated packages that provide Red Hat JBoss Enterprise Application Platform 7.2.0, fix several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scorin...
keycloak: SAML request parser replaces special strings with system properties
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID fie...
keycloak: SAML request parser replaces special strings with system properties
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID fie...
Authorization Bypass In The InvokeNextValue Function
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a 1 direct request or 2...
XML External Entity (XXE)
picketlink-federation is vulnerable to XML External Entity XXE attacks. The vulnerability exists as the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform JBEAP 5.2.0 and 6.2.4, expands entity references...
RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 1 (RHSA-2018:2868)
The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2868 advisory. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the...
Important: Red Hat Security Advisory: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update
An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
Important: Red Hat Security Advisory: Red Hat JBoss Web Server 5.0 Service Pack 1 security and bug fix update
An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...
keycloak: SAML request parser replaces special strings with system properties
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID fie...
Important: Red Hat Security Advisory: Red Hat JBoss Enterprise Application Platform 6.4.21 security update
An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, ...