CVE-2016-2171

Sažetak

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Reference

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:P/A:P

Zadnje važnije ažuriranje

14-04-2016 - 22:23

Objavljeno

11-04-2016 - 14:59