Moderate severityNVD Advisory· Published Aug 26, 2015· Updated May 6, 2026
CVE-2015-3158
CVE-2015-3158
Description
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.picketlink:picketlink-tomcat-commonMaven | < 2.7.1.Final | 2.7.1.Final |
Affected products
1Patches
1ae6ff4adfc56Merge pull request #124 from pedroigor/master
1 file changed · +4 −0
picketlink-tomcat-common/src/main/java/org/picketlink/identity/federation/bindings/tomcat/idp/AbstractIDPValve.java+4 −0 modified@@ -400,6 +400,10 @@ public void invoke(Request request, Response response) throws IOException, Servl invokeNextValve(request, response); + if (isUnauthorized(response)) { + return; + } + userPrincipal = request.getUserPrincipal(); // we only handle SAML messages for authenticated users.
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-9qhq-j4xm-cw48ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3158ghsaADVISORY
- rhn.redhat.com/errata/RHSA-2015-1669.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1670.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1671.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1672.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1673.htmlnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/picketlink/picketlink-bindings/commit/ae6ff4adfc562880e714a089983054b47610ececghsaWEB
- github.com/picketlink/picketlink-bindings/pull/124nvdWEB
- issues.jboss.org/browse/PLINK-708nvdWEB
News mentions
0No linked articles in our index yet.