First published: Wed Nov 05 2014(Updated: )
It was discovered that when dealing with undefined security domains, the org.jboss.security.plugins.mapping.JBossMappingManager implementation would fall back to the default security domain if available. A user with valid credentials in the defined default domain, with a role that is valid in the expected application domain, can perform actions that was otherwise not available to them. When using the SAML2 STS Login Module, JBossMappingManager exposes this issue since PicketLink Trust SecurityActions implementation use a hardcoded default value when defining the context.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Jboss Enterprise Application Platform | <=6.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.