Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

Related Vulnerabilities

CVE-2018-11775 Vulnerability in maven package org.apache.activemq:activemq-broker

CVE-2020-7707 Vulnerability in maven package org.webjars.npm:property-expr

CVE-2022-31127 Vulnerability in npm package next-auth

CVE-2023-26055 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2020-10969 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Patch Vendor Advisory