CVE-2010-2493

The default configuration of the deployment descriptor (aka web.xml) in
picketlink-sts.war in (1) the security_saml quickstart, (2) the
webservice_proxy_security quickstart, (3) the web-console application, (4)
the http-invoker application, (5) the gpd-deployer application, (6) the
jbpm-console application, (7) the contract application, and (8) the
uddi-console application in JBoss Enterprise SOA Platform before 5.0.2
contains GET and POST http-method elements, which allows remote attackers
to bypass intended access restrictions via a crafted HTTP request.

Bugs

• <https://bugzilla.redhat.com/show_bug.cgi?id=614774&gt;
• <https://jira.jboss.org/browse/SOA-2105&gt;