Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

Related Vulnerabilities

CVE-2016-6816 Vulnerability in maven package org.apache.tomcat:coyote

CVE-2020-2290 Vulnerability in maven package org.biouno:uno-choice

CVE-2020-2142 Vulnerability in maven package org.jenkins-ci.plugins:p4

CVE-2019-12421 Vulnerability in maven package org.apache.nifi:nifi-web-security

CVE-2020-2213 Vulnerability in maven package org.jenkins-ci.plugins:whitesource

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory Patch