Design/Logic Flaw

2016-04-1114:59:00

PRIOn knowledge base

www.prio-n.com

7.2 High

AI Score

Confidence

Low

0.531 Medium

EPSS

Percentile

97.6%

JSON

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

CPENameOperatorVersion
jetspeedle2.3.0

CPE	Name	Operator	Version
	jetspeed	le	2.3.0

References

haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and

mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E

portals.apache.org/jetspeed-2/security-reports.html