Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

Related Vulnerabilities

CVE-2021-21690 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-34916 Vulnerability in maven package org.apache.flume.flume-ng-sources:flume-jms-source

CVE-2022-47500 Vulnerability in maven package org.apache.helix:helix-front

CVE-2023-48219 Vulnerability in maven package org.webjars.bower:tinymce

CVE-2023-41037 Vulnerability in maven package org.webjars.bowergithub.openpgpjs:openpgpjs

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory Patch