Vulnerability Details CVE-2016-2171
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.079
EPSS Ranking 91.6%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 6.4
References
- http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
- http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
- https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
- http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
- http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
- https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
Products affected by CVE-2016-2171
-
cpe:2.3:a:apache:jetspeed:2.2.0
-
cpe:2.3:a:apache:jetspeed:2.2.1
-
cpe:2.3:a:apache:jetspeed:2.2.2
-
cpe:2.3:a:apache:jetspeed:2.3.0