|
|
|||
| Rule General Information |
|---|
| Release Date: | 2017-04-10 | |
| Rule Name: | Apache Jetspeed User Manager Service Privilege Escalation Vulnerability (CVE-2016-2171) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API. | |
| Impact: | An attacker can abtain more privileges which he is not entitled to by exloiting the vulnerability, such as executing arbitrary code, deleting files, viewing sensitive information, changing configurations. | |
| Affected OS: | Solaris, Other Unix, FreeBSD, Linux | |
| Reference: | http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171 |
|
| Solutions |
|---|
| Upgrade to version 2.3.1 to solve the problem. |