{"containers": {"cna": {"affected": [{"product": "picketlink", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "as shipped with Jboss Enterprise Application Platform 7.2.x and 7.1.x"}]}], "descriptions": [{"lang": "en", "value": "It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-06-12T14:06:06", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"}, {"name": "108732", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/108732"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T19:19:18.614Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"}, {"name": "108732", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/108732"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-3872", "datePublished": "2019-06-12T13:45:56", "dateReserved": "2019-01-03T00:00:00", "dateUpdated": "2024-08-04T19:19:18.614Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "0952BA1A-5DF9-400F-B01F-C3A398A8A2D4", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks."}, {"lang": "es", "value": "Se encontr\u00f3 que un SAMLRequest que conten\u00eda un script pod\u00eda ser procesado por versiones de Picketlink enviadas en Jboss Application Platform 7.2.xy 7.1.x. Un atacante podr\u00eda usar esto para enviar un script malicioso para lograr scripts entre sitios y obtener informaci\u00f3n no autorizada o lleva cabo de m\u00e1s ataques."}], "id": "CVE-2019-3872", "lastModified": "2019-10-09T23:49:50.133", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2019-06-12T14:29:04.667", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/108732"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3872"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2019:1424", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2", "impact": "moderate", "package": "picketlink", "product_name": "Red Hat JBoss EAP 7.2", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1419", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el6", "impact": "moderate", "package": "eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el6eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1420", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el7", "impact": "moderate", "package": "eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el7eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-apache-commons-codec-0:1.11.0-2.redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-apache-cxf-0:3.2.7-2.redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-hal-console-0:3.0.11-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-hibernate-0:5.3.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-hornetq-0:2.4.7-7.Final_redhat_2.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-ironjacamar-0:1.4.16-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-javassist-0:3.23.2-2.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-ejb-client-0:4.0.18-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-marshalling-0:2.0.7-2.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-modules-0:1.8.8-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-openjdk-orb-0:8.1.3-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-remoting-0:5.0.9-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-server-migration-0:1.3.1-2.Final_redhat_00002.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jboss-xnio-base-0:3.6.6-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-jgroups-0:4.0.19-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-picketlink-bindings-0:2.5.5-17.SP12_redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-picketlink-federation-0:2.5.5-17.SP12_redhat_00005.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-resteasy-0:3.6.1-5.SP5_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-undertow-0:2.0.20-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-weld-core-0:3.0.6-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-wildfly-0:7.2.2-2.GA_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-wildfly-common-0:1.5.1-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-wildfly-discovery-0:1.1.2-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-wildfly-http-client-0:1.0.15-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1421", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7.2::el8", "impact": "moderate", "package": "eap7-wildfly-naming-client-0:1.0.10-1.Final_redhat_00001.1.el8eap", "product_name": "Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8", "release_date": "2019-06-10T00:00:00Z"}, {"advisory": "RHSA-2019:1456", "cpe": "cpe:/a:redhat:jboss_single_sign_on:7.3", "package": "picketlink", "product_name": "Red Hat Single Sign-On 7.3.2 zip", "release_date": "2019-06-11T00:00:00Z"}], "bugzilla": {"description": "picketlink: reflected XSS in SAMLRequest via RelayState parameter", "id": "1688966", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1688966"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-79", "details": ["It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks."], "name": "CVE-2019-3872", "public_date": "2019-06-10T15:16:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-3872\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3872"], "threat_severity": "Moderate"}