7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
picketlink-federation is vulnerable to XML External Entity (XXE) attacks. The vulnerability exists as the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory method in PicketLink, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 5.2.0 and 6.2.4, expands entity references, which allows remote attackers to read arbitrary code and possibly have other unspecified impact via unspecified vectors, related to an XML External Entity (XXE) issue.
rhn.redhat.com/errata/RHSA-2014-0883.html
rhn.redhat.com/errata/RHSA-2014-0884.html
rhn.redhat.com/errata/RHSA-2014-0885.html
rhn.redhat.com/errata/RHSA-2014-0886.html
rhn.redhat.com/errata/RHSA-2015-0091.html
rhn.redhat.com/errata/RHSA-2015-0675.html
rhn.redhat.com/errata/RHSA-2015-0720.html
rhn.redhat.com/errata/RHSA-2015-0765.html
rhn.redhat.com/errata/RHSA-2015-1888.html
secunia.com/advisories/60047
secunia.com/advisories/60124
www.securitytracker.com/id/1030607
access.redhat.com/errata/RHSA-2014:0883
access.redhat.com/errata/RHSA-2014:0884
access.redhat.com/errata/RHSA-2014:0885
access.redhat.com/errata/RHSA-2014:0886
access.redhat.com/errata/RHSA-2014:0897
access.redhat.com/errata/RHSA-2014:0898
access.redhat.com/errata/RHSA-2014:0910
access.redhat.com/errata/RHSA-2015:0091
access.redhat.com/errata/RHSA-2015:0234
access.redhat.com/errata/RHSA-2015:0235
access.redhat.com/errata/RHSA-2015:0675
access.redhat.com/errata/RHSA-2015:0720
access.redhat.com/errata/RHSA-2015:0765
access.redhat.com/errata/RHSA-2015:1009
access.redhat.com/errata/RHSA-2015:1888
access.redhat.com/security/cve/CVE-2014-3530
access.redhat.com/security/updates/classification/#important
bugzilla.redhat.com/show_bug.cgi?id=1112987
exchange.xforce.ibmcloud.com/vulnerabilities/94700
rhn.redhat.com/errata/RHSA-2014-0883.html