Vulnerability DatabaseCVE-2015-3158
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2015-3158
Published:August 26, 2015
Updated:May 17, 2026
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.
Affected Packages
org.picketlink:picketlink-tomcat-common (JAVA):
Affected version(s) >=2.1.0.Final <2.7.1.Final
Fix Suggestion:
Update to version 2.7.1.Final
Related Resources (11)
http://rhn.redhat.com/errata/RHSA-2015-1671.html
http://rhn.redhat.com/errata/RHSA-2015-1670.html
https://github.com/picketlink/picketlink-bindings
https://github.com/picketlink/picketlink-bindings/pull/124
http://rhn.redhat.com/errata/RHSA-2015-1673.html
http://rhn.redhat.com/errata/RHSA-2015-1669.html
https://issues.jboss.org/browse/PLINK-708
https://bugzilla.redhat.com/show_bug.cgi?id=1216123
https://nvd.nist.gov/vuln/detail/CVE-2015-3158
http://rhn.redhat.com/errata/RHSA-2015-1672.html
https://github.com/picketlink/picketlink-bindings/commit/ae6ff4adfc562880e714a089983054b47610ecec
Do you need more information?
Contact Us
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
EPSS
Base Score:
0.47