uPortal
  1. uPortal
  2. UP-4105

CVE-2014-3416 MANAGE[-*] permissions not enforced

    Details

    • Type: Security Bug Security Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.0.0-RC1, 4.0.0-RC2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 3.2.5, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.9.1, 4.0.10, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13
    • Fix Version/s: 4.0.13.1, 4.0.14, 4.1.0
    • Component/s: Administration
    • Labels:

      Description

      CVE-2014-3416 : Manage permissions ineffectual. Any user with SUBSCRIBE on portlet-admin can MANAGE any portlet through URL manipulation. MANAGE permission only filters what portlets are listed in the UI but does not prevent user from managing portlets.

      More information about this vulnerability and how you can address it locally is at

      https://gist.github.com/apetro/e49ece2ebc8ef0bdb31f

        Activity

        Hide
        Andrew Petro added a comment -

        Marked all uPortal 4 releases as affected as a guess. Unclear whether releases before 4 affected – would need to go look.

        Show
        Andrew Petro added a comment - Marked all uPortal 4 releases as affected as a guess. Unclear whether releases before 4 affected – would need to go look.
        Hide
        Andrew Petro added a comment - - edited
        Show
        Andrew Petro added a comment - - edited Addressed in uPortal 4.0.13-patches (branch soon to be pushed), in 4.0-patches towards 4.0.14, and in master. for 4.0.13.1 : https://github.com/Jasig/uPortal/commit/8afed0f532a9f0057d42ea682e9a1f7858f51151 . for 4.0.14 : https://github.com/Jasig/uPortal/commit/dd069c1728845b885f270ea96a4b8d1b5709a453 for master : https://github.com/Jasig/uPortal/commit/9e56eb6c1c6acb52ccd1f0de7f22f8ecf2a5bbfb
        Hide
        Andrew Petro added a comment -

        Correct CVE identifier digit transpose.

        Show
        Andrew Petro added a comment - Correct CVE identifier digit transpose.

          People

          • Assignee:
            Drew Wills
            Reporter:
            Andrew Petro
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: