CVE-2015-3158

Name of the Vulnerable Software and Affected Versions PicketLink versions prior to 2.8.0.Beta1 PicketLink versions prior to 2.7.1.Final can be omitted as 2.8.0.Beta1 is a later version, so the correct output is: PicketLink versions prior to 2.8.0.Beta1

Description The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java does not properly check role-based authorization. This allows remote authenticated users to gain access to restricted application resources via a direct request or a request through an SP initiated flow.

Recommendations For versions prior to 2.8.0.Beta1, update to version 2.8.0.Beta1 or later to resolve the issue. As a temporary workaround, consider restricting access to the invokeNextValve function in AbstractIDPValve.java until a patch is available.