Description
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
Remediation
References
http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
Related Vulnerabilities
CVE-2020-2222 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2021-32731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web
CVE-2021-21122 Vulnerability in maven package org.webjars.npm:electron
CVE-2011-1411 Vulnerability in maven package org.opensaml:opensaml
CVE-2008-0128 Vulnerability in maven package tomcat:catalina