CVE-2016-2171

{"id": "CVE-2016-2171", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2016-04-11T14:59:10.333", "references": [{"url": "http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and", "source": "secalert@redhat.com"}, {"url": "http://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3CB9165E38-F3D8-496D-8642-8A53FCAC736A%40gmail.com%3E", "tags": ["Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-2171", "tags": ["Patch", "Vendor Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "The User Manager service in Apache Jetspeed before 2.3.1 does not properly restrict access using Jetspeed Security, which allows remote attackers to (1) add, (2) edit, or (3) delete users via the REST API."}, {"lang": "es", "value": "El servicio User Manager en Apache Jetspeed en versiones anteriores a 2.3.1 no restringe correctamente el acceso usando Jetspeed Security, lo que permite a atacantes remotos (1) a\u00f1adir, (2) editar o (3) eliminar usuarios a trav\u00e9s de la API REST."}], "lastModified": "2016-04-14T22:23:11.550", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:jetspeed:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B7DAFB8-85FD-462F-A9A3-AD76C62557F7", "versionEndIncluding": "2.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}