Описание
Apache Jetspeed vulnerable to SQL Injection
Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2016-0710
- https://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3C046318A1-226E-453F-9394-B84F1A33E6A4%40bluesunrise.com%3E
- https://mail-archives.apache.org/mod_mbox/portals-jetspeed-user/201603.mbox/%3C046318A1-226E-453F-9394-B84F1A33E6A4@bluesunrise.com%3E
- https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710
- https://www.exploit-db.com/exploits/39643
- http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and
- http://packetstormsecurity.com/files/136489/Apache-Jetspeed-Arbitrary-File-Upload.html
- http://www.rapid7.com/db/modules/exploit/multi/http/apache_jetspeed_file_upload
Пакеты
Наименование
org.apache.portals.jetspeed-2:jetspeed
maven
Затронутые версииВерсия исправления
< 2.3.1
2.3.1
Связанные уязвимости
CVSS3: 8.8
nvd
почти 10 лет назад
Multiple SQL injection vulnerabilities in the User Manager service in Apache Jetspeed before 2.3.1 allow remote attackers to execute arbitrary SQL commands via the (1) role or (2) user parameter to services/usermanager/users/.