portals-jetspeed-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From DavidSeanTaylor <da...@bluesunrise.com>
Subject [CVE-2016-2171] Jetspeed User Manager REST service not restricted by Jetspeed Security
Date Tue, 29 Mar 2016 02:19:12 GMT
CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed Security

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.3.0

Description:
The Jetspeed User Manager services are vulnerable to unauthorized access. The following APIs
are not restricted by Jetspeed Security:

GET http://host/jetspeed/services/usermanager/users/
GET http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/
DELETE http://host/jetspeed/services/usermanager/users/{name}/

In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed Security, requiring
Administrative rights.

Mitigation:
2.3.0 users should upgrade to 2.3.1

Credit:
This issue was discovered by ´╗┐Andreas Lindh

References:
http://tomcat.apache.org/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-user-help@portals.apache.org


Mime
View raw message