Arbitrary User Modification Affecting org.apache.portals.jetspeed-2:jetspeed-security package, versions [,2.3.1)

Snyk CVSS

Attack Complexity Low

Integrity High

Threat Intelligence

EPSS 53.13% (98^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGAPACHEPORTALSJETSPEED2-30706
published 8 Apr 2016
disclosed 8 Apr 2016
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 8 Apr 2016

CVE-2016-2171 Open this link in a new tab CWE-264 Open this link in a new tab

Overview

org.apache.portals.jetspeed-2:jetspeed-security The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.

Arbitrary User Modification Affecting org.apache.portals.jetspeed-2:jetspeed-security package, versions [,2.3.1)

Snyk CVSS

Threat Intelligence

Introduced: 8 Apr 2016

Overview

References