Description
It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.
Analysis
Analysis and contextual insights are available on OpenCVE Cloud.
Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).
| Vendor | Product | Default status | Versions | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Red Hat | picketlink | affected |
|
Configuration 1 [-]
| AND |
|
Configuration 2 [-]
|
| Package | CPE | Advisory | Released Date |
|---|---|---|---|
| Red Hat JBoss EAP 7.2 | |||
| picketlink | cpe:/a:redhat:jboss_enterprise_application_platform:7.2 | RHSA-2019:1424 | 2019-06-10T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 | |||
| eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el6eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6 | RHSA-2019:1419 | 2019-06-10T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 | |||
| eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el7eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7 | RHSA-2019:1420 | 2019-06-10T00:00:00Z |
| Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 | |||
| eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el8eap | cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8 | RHSA-2019:1421 | 2019-06-10T00:00:00Z |
| Red Hat Single Sign-On 7.3.2 zip | |||
| picketlink | cpe:/a:redhat:jboss_single_sign_on:7.3 | RHSA-2019:1456 | 2019-06-11T00:00:00Z |
No data available yet.
Remediation
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
 EUVD |
EUVD-2019-13486 | It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks. |
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published:
Updated: 2024-08-04T19:19:18.682Z
Reserved: 2019-01-03T00:00:00.000Z
Link: CVE-2019-3873
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-06-12T14:29:04.713
Modified: 2024-11-21T04:42:46.120
Link: CVE-2019-3873
Redhat
OpenCVE Enrichment
No data.
Weaknesses