[CVE-2016-2171] Jetspeed User Manager REST service not restricted by Jetspeed Security

DavidSeanTaylor Mon, 28 Mar 2016 19:19:05 -0700

CVE-2016-2171: Jetspeed User Manager REST service not restricted by Jetspeed 
Security


Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Jetspeed 2.3.0

Description:
The Jetspeed User Manager services are vulnerable to unauthorized access. The 
following APIs are not restricted by Jetspeed Security:

GET http://host/jetspeed/services/usermanager/users/
GET http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/{name}/
POST http://host/jetspeed/services/usermanager/users/
DELETE http://host/jetspeed/services/usermanager/users/{name}/

In the upcoming 2.3.1 release, these URLs are properly secured by Jetspeed 
Security, requiring Administrative rights.

Mitigation:
2.3.0 users should upgrade to 2.3.1

Credit:
This issue was discovered by Andreas Lindh

References:
http://tomcat.apache.org/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-user-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-user-h...@portals.apache.org

[CVE-2016-2171] Jetspeed User Manager REST service not restricted by Jetspeed Security

Reply via email to