You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-user@portals.apache.org by DavidSeanTaylor <da...@bluesunrise.com> on 2016/03/29 04:19:12 UTC
[CVE-2016-2171] Jetspeed User Manager REST service not restricted by Jetspeed Security
CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Jetspeed 2.3.0
Description:
The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:
GET http://host/jetspeed/services/usermanager/users/
GET http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/
DELETE http://host/jetspeed/services/usermanager/users/{name}/
In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.
Mitigation:
2.3.0 users should upgrade to 2.3.1
Credit:
This issue was discovered by Andreas Lindh
References:
http://tomcat.apache.org/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org