Uploaded image for project: 'uPortal'
  1. uPortal
  2. UP-4105

CVE-2014-3416 MANAGE[-*] permissions not enforced

    Details

    • Type: Security Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.0.0-RC1, 4.0.0-RC2, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 3.2.5, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.9.1, 4.0.10, 4.0.11, 4.0.11.1, 4.0.12, 4.0.13
    • Fix Version/s: 4.0.13.1, 4.0.14, 4.1.0
    • Component/s: Administration
    • Labels:

      Description

      CVE-2014-3416 : Manage permissions ineffectual. Any user with SUBSCRIBE on portlet-admin can MANAGE any portlet through URL manipulation. MANAGE permission only filters what portlets are listed in the UI but does not prevent user from managing portlets.

      More information about this vulnerability and how you can address it locally is at

      https://gist.github.com/apetro/e49ece2ebc8ef0bdb31f

        Attachments

          Activity

            People

            • Assignee:
              awills Drew Wills
              Reporter:
              awp9 Andrew Petro
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: