You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by David S Taylor <da...@bluesunrise.com> on 2016/03/03 22:16:30 UTC

[CVE-2016-0710] Apache Jetspeed information disclosure vulnerability

CVE-2016-0710: SQL injection in User Manager service

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.3.0

Description:
The Jetspeed User Manager service, part of the Jetspeed Administrative Portlets, is vulnerable to SQL injection. When performing a search in these tools, the 'user' and 'role' parameters of the request can be injected to alter the logic of the subsequent SQL statement. 
There is also an authorization flaw at play here since the above URLs can be reached without being authenticated in Jetspeed.

Mitigation:
2.3.0 users should upgrade to 2.3.1

Example:
Given this URL:
http://192.168.2.4:8080/jetspeed/services/usermanager/users/?_type=json&results=10&start=0&sort=userName&dir=asc&name=&roles=foo%27%20 
The 'role' parameter contains the value "foo" which is not an existing role, but because of the injected SQL code (or '1'='1') the statement returns true anyway and all the existing users are shown.

Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html <http://tomcat.apache.org/security.html>