Description
Your web application is possibly vulnerable to JAAS Authentication Bypass. JAAS (Java Authentication and Authorization Service) is the Java implementation of the standard Pluggable Authentication Module (PAM) information security framework. The main goal of JAAS is to separate the concerns of user authentication so that they may be managed independently.
Sometimes, JAAS is not configured correctly and an attacker can bypass the authentication. As an example, take a look at the code below:
<security-constraint>
<web-resource-collection>
<web-resource-name>Adminarea</web-resource-name>
<url-pattern>/admin/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
In this case the security constraint is defined only for HTTP methods GET and POST. If an attacker is using the HEAD HTTP method he can bypass the authentication.
Remediation
Remove all http-method definitions from the security-constraint section. This will default to "all HTTP methods".
References
Related Vulnerabilities
WordPress Plugin Premmerce Wholesale Pricing for WooCommerce Security Bypass (1.1.3)
Joomla! Core 3.3.x Security Bypass (3.3.0 - 3.3.3)
WordPress Plugin JobSearch WP Job Board Security Bypass (1.8.1)
WordPress Plugin Premium SEO Pack Security Bypass (1.9.1.3)
WordPress Plugin Rating-Widget:Star Review System Security Bypass (2.8.9)