You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jetspeed-user@portals.apache.org by DavidSeanTaylor <da...@bluesunrise.com> on 2016/03/29 04:19:12 UTC

[CVE-2016-2171] Jetspeed User Manager REST service not restricted by Jetspeed Security

CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.3.0

Description:
The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs are not restricted by Jetspeed Security:

GET http://host/jetspeed/services/usermanager/users/
GET http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/
DELETE http://host/jetspeed/services/usermanager/users/{name}/

In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring Administrative rights.

Mitigation:
2.3.0 users should upgrade to 2.3.1

Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org