VDB
RHSA-2019%3A0139
RHSA-2019%3A0139
PUBLISHED
CVSS 6.5 MEDIUM
It was found that while parsing the SAML messages the StaxParserUtil class of Picketlink replaces special strings for obtaining attribute values with system property. This could allow an attacker to determine values of system properties at the attacked system by formatting the SAML request ID field to be the chosen system property which could be obtained in the "InResponseTo" field in the response.
Risk Scores
CVSS 3.0
6.5
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat JBoss EAP 7.2 |
Timeline
- Jan 22, 2019 CVE Published
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2019:0139 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=distributions&version=7.2 advisory
- https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/?version=7.2 advisory
- https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.2/html-single/installation_guide/ advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1410481 issue
- https://issues.redhat.com/browse/JBEAP-12932 advisory
- https://issues.redhat.com/browse/JBEAP-13189 advisory
- https://issues.redhat.com/browse/JBEAP-13658 advisory
- https://issues.redhat.com/browse/JBEAP-13867 advisory
- https://issues.redhat.com/browse/JBEAP-13895 advisory
- https://issues.redhat.com/browse/JBEAP-14222 advisory
- https://issues.redhat.com/browse/JBEAP-14239 advisory
- https://issues.redhat.com/browse/JBEAP-14386 advisory
- https://issues.redhat.com/browse/JBEAP-14415 advisory
- https://issues.redhat.com/browse/JBEAP-14421 advisory
- https://issues.redhat.com/browse/JBEAP-14422 advisory
- https://issues.redhat.com/browse/JBEAP-14427 advisory
- https://issues.redhat.com/browse/JBEAP-14504 advisory
- https://issues.redhat.com/browse/JBEAP-14811 advisory
…and 40 more