Vulnerability DatabaseCVE-2015-6254
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2015-6254
Published:August 17, 2015
Updated:May 17, 2026
The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types.
Related Resources (6)
http://rhn.redhat.com/errata/RHSA-2015-0849.html
http://rhn.redhat.com/errata/RHSA-2015-0846.html
http://rhn.redhat.com/errata/RHSA-2015-0847.html
https://bugzilla.redhat.com/show_bug.cgi?id=1194832
https://issues.jboss.org/browse/PLINK-680
http://rhn.redhat.com/errata/RHSA-2015-0848.html
Do you need more information?
Contact Us
CVSS v3
Base Score:
5
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
CVSS v2
Base Score:
6
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
EPSS
Base Score:
0.70