Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

Related Vulnerabilities

CVE-2022-0624 Vulnerability in npm package parse-path

CVE-2020-7768 Vulnerability in npm package grpc

CVE-2021-4307 Vulnerability in maven package org.webjars.bower:baobab

CVE-2020-15095 Vulnerability in npm package npm

CVE-2020-26291 Vulnerability in maven package org.webjars.bower:urijs

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Patch Vendor Advisory