Skip to main content

Improper Access Control


Severity Medium
Score 6/10


The Service Provider (SP) in PicketLink before 2.5.4.SP2, 2.6.x up to 2.6.1.Final, 2.7.x before 2.7.0.Final, 2.7.1Beta1 and 2.7.1Beta2 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6254 for lack of validation for the Destination attribute in a Response element in a SAML assertion.


CWE-284 - Improper Access Control

Listed 5th in the 'OWASP Top Ten', improper (or broken) access control attacks are a fundamental type of vulnerability. This includes a broad range of design flaws that enable users to act outside of their intended permissions. They can use these privileges to gain access to restricted files and functionality such as accessing restricted information, falsifying records, destroying data, or executing commands.

Advisory Timeline

  • Published