CVE-2016-2171
HIGHApache Jetspeed < 2.3.0 - Unauthenticated User Management via REST API
Title source: llmDescription
The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API.
References (3)
Core 3
Core References
Patch, Vendor Advisory x_refsource_confirm
https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171
Vendor Advisory mailing-list
x_refsource_mlist
http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E
Various Sources x_refsource_misc
http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
Scores
CVSS v3
7.5
EPSS
0.1661
EPSS Percentile
95.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-264
Status
published
Products (1)
apache/jetspeed
< 2.3.0
Published
Apr 11, 2016
Tracked Since
Feb 18, 2026