Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

Related Vulnerabilities

CVE-2015-0254 Vulnerability in maven package javax.servlet:jstl

CVE-2018-1000151 Vulnerability in maven package org.jenkins-ci.plugins:vsphere-cloud

CVE-2023-29201 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2020-10686 Vulnerability in maven package org.keycloak:keycloak-model-jpa

CVE-2020-25724 Vulnerability in maven package io.quarkus:quarkus-resteasy-reactive-parent-aggregator

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory Patch