It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Find out more about CVE-2014-3530 from the MITRE CVE dictionary dictionary and NIST NVD.
This flaw could allow remote, unauthenticated attackers to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. All systems hosting PicketLink applications using SAML Identity Providers and Service Providers may be affected. It is strongly advised that anyone running an affected system applies patches to address this flaw.
Base Score | 7.5 |
---|---|
Base Metrics | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Access Vector | Network |
Access Complexity | Low |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | Partial |
Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (picketlink-federation) | RHSA-2014:0885 | 2014-07-15 |
Red Hat JBoss Web Platform 5 for RHEL 5 Server (picketlink-federation) | RHSA-2014:0898 | 2014-07-16 |
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (picketlink-federation) | RHSA-2014:0885 | 2014-07-15 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (picketlink-federation) | RHSA-2014:0883 | 2014-07-15 |
Red Hat JBoss Web Platform 5 for RHEL 4 AS (picketlink-federation) | RHSA-2014:0898 | 2014-07-16 |
Red Hat JBoss Operations Network 3.2 | RHSA-2014:0910 | 2014-07-21 |
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (picketlink-federation) | RHSA-2014:0885 | 2014-07-15 |
Red Hat JBoss Web Platform 5 for RHEL 6 Server (picketlink-federation) | RHSA-2014:0898 | 2014-07-16 |
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (picketlink-federation) | RHSA-2014:0883 | 2014-07-15 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Portal Platform 6 | picketlink | Affected |
Red Hat JBoss Portal 5 | picketlink | Affected |
Red Hat JBoss Fuse Service Works 6 | picketlink | Affected |
Red Hat JBoss Enterprise SOA Platform 5 | picketlink | Affected |
Red Hat JBoss EAP 6 | picketlink | Affected |
Red Hat JBoss EAP 5 | picketlink | Affected |
Red Hat JBoss Data Virtualization 6 | picketlink | Affected |
Red Hat JBoss Data Grid 6 | picketlink | Affected |
Red Hat JBoss BRMS 6 | picketlink | Affected |
Red Hat JBoss BRMS 5 | picketlink | Will not fix |
Red Hat JBoss BPMS 6 | picketlink | Affected |