Description
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
Remediation
References
http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
Related Vulnerabilities
CVE-2022-43766 Vulnerability in maven package org.apache.iotdb:iotdb-server
CVE-2014-3417 Vulnerability in maven package org.jasig.portal:uportal-war
CVE-2023-37903 Vulnerability in npm package vm2
CVE-2020-27218 Vulnerability in maven package org.eclipse.jetty:jetty-server
CVE-2015-8858 Vulnerability in maven package org.webjars.npm:uglify-js