Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

Related Vulnerabilities

CVE-2018-5382 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

CVE-2023-4061 Vulnerability in maven package org.wildfly.core:wildfly-controller

CVE-2020-1937 Vulnerability in maven package org.apache.kylin:kylin-server-base

CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm

CVE-2022-34204 Vulnerability in maven package com.geteasyqa:easyqa

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory Patch