Description
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
Remediation
References
http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
Related Vulnerabilities
CVE-2023-29528 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml
CVE-2017-8028 Vulnerability in maven package org.springframework.ldap:spring-ldap-core
CVE-2020-10686 Vulnerability in maven package org.keycloak:keycloak-model-jpa
CVE-2018-8038 Vulnerability in maven package org.apache.cxf.fediz:fediz-core
CVE-2022-43430 Vulnerability in maven package com.compuware.jenkins:compuware-topaz-for-total-test