5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.008 Low
EPSS
Percentile
81.6%
The default configuration of the deployment descriptor (aka web.xml) in
picketlink-sts.war in (1) the security_saml quickstart, (2) the
webservice_proxy_security quickstart, (3) the web-console application, (4)
the http-invoker application, (5) the gpd-deployer application, (6) the
jbpm-console application, (7) the contract application, and (8) the
uddi-console application in JBoss Enterprise SOA Platform before 5.0.2
contains GET and POST http-method elements, which allows remote attackers
to bypass intended access restrictions via a crafted HTTP request.