The default configuration of the deployment descriptor (aka web.xml) in
picketlink-sts.war in (1) the security_saml quickstart, (2) the
webservice_proxy_security quickstart, (3) the web-console application, (4)
the http-invoker application, (5) the gpd-deployer application, (6) the
jbpm-console application, (7) the contract application, and (8) the
uddi-console application in JBoss Enterprise SOA Platform before 5.0.2
contains GET and POST http-method elements, which allows remote attackers
to bypass intended access restrictions via a crafted HTTP request.
Upstream:released (5.0.2)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):DNE
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
More Information

Updated: 2019-01-14 21:14:22 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)