Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Remediation

References

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

Related Vulnerabilities

CVE-2020-2222 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2021-32731 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web

CVE-2021-21122 Vulnerability in maven package org.webjars.npm:electron

CVE-2011-1411 Vulnerability in maven package org.opensaml:opensaml

CVE-2008-0128 Vulnerability in maven package tomcat:catalina

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Tags

Vendor Advisory Patch