You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@portals.apache.org by ta...@apache.org on 2016/03/29 04:27:03 UTC
svn commit: r1736940 - /portals/site-live/jetspeed-2/security-reports.html
Author: taylor
Date: Tue Mar 29 02:27:03 2016
New Revision: 1736940
URL: http://svn.apache.org/viewvc?rev=1736940&view=rev
Log:
adding CVE-2016-2171 to list of 2.3.0 vulnerabilities
Modified:
portals/site-live/jetspeed-2/security-reports.html
Modified: portals/site-live/jetspeed-2/security-reports.html
URL: http://svn.apache.org/viewvc/portals/site-live/jetspeed-2/security-reports.html?rev=1736940&r1=1736939&r2=1736940&view=diff
==============================================================================
--- portals/site-live/jetspeed-2/security-reports.html (original)
+++ portals/site-live/jetspeed-2/security-reports.html Tue Mar 29 02:27:03 2016
@@ -42,7 +42,7 @@
<div class="xleft">
- Last Published: 3 March 2016
+ Last Published: 28 March 2016
</div>
<div class="xright"> <a href="http://portals.apache.org/applications/" class="externalLink">Applications</a>
|
@@ -258,6 +258,7 @@
<li><a href="#CVE-2016-0710">CVE-2016-0710: SQL injection in User Manager service</a></li>
<li><a href="#CVE-2016-0711">CVE-2016-0711: Persistent Cross Site Scripting in links, pages and folders</a></li>
<li><a href="#CVE-2016-0712">CVE-2016-0712: Reflected Cross Site Scripting in URI path</a></li>
+<li><a href="#CVE-2016-2171">CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security</a></li>
</ul>
</div>
<div class="section"><h2><a name="a2.3.1_Release_CVE_Reports"></a>2.3.1 Release CVE Reports</h2>
@@ -429,6 +430,42 @@ title="Minimize" class="a
</div>
</p>
</div>
+<a name="CVE-2016-2171"></a><div class="section"><h3><a name="CVE-2016-2171:_Jetspeed_User_Manager_REST_service_not_restricted_by_Jetspeed_Security"></a>CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security</h3>
+<table class="bodyTable"><tr class="a"><td>Severity: </td>
+<td>Important</td>
+</tr>
+<tr class="b"><td>Vendor: </td>
+<td>The Apache Software Foundation</td>
+</tr>
+<tr class="a"><td>Versions Effected:</td>
+<td> Jetspeed 2.3.0</td>
+</tr>
+<tr class="b"><td>Mitigation:</td>
+<td>2.3.0 users should upgrade to 2.3.1</td>
+</tr>
+<tr class="a"><td>Credit:</td>
+<td>This issue was discovered by Andreas Lindh</td>
+</tr>
+<tr class="b"><td>References:</td>
+<td>http://tomcat.apache.org/security.html</td>
+</tr>
+</table>
+<h4>Description:</h4>
+<p>
+ The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:
+ </p>
+<div class="source"><pre>
+ GET http://host/jetspeed/services/usermanager/users/
+ GET http://host/jetspeed/services/usermanager/users/{name}/
+ POST http://host/jetspeed/services/usermanager/users/{name}/
+ POST http://host/jetspeed/services/usermanager/users/
+ DELETE http://host/jetspeed/services/usermanager/users/{name}/
+ </pre>
+</div>
+<p>
+ In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.
+ </p>
+</div>
</div>
</div>