CVE-2014-3416 MANAGE[-*] permissions not enforced

Description

CVE-2014-3416 : Manage permissions ineffectual. Any user with SUBSCRIBE on portlet-admin can MANAGE any portlet through URL manipulation. MANAGE permission only filters what portlets are listed in the UI but does not prevent user from managing portlets.

More information about this vulnerability and how you can address it locally is at

https://gist.github.com/apetro/e49ece2ebc8ef0bdb31f

Environment

None

Activity

Show:
Andrew Petro
May 20, 2014, 9:29 PM

Marked all uPortal 4 releases as affected as a guess. Unclear whether releases before 4 affected – would need to go look.

Andrew Petro
May 22, 2014, 9:27 PM
Edited
Andrew Petro
May 23, 2014, 8:46 PM

Correct CVE identifier digit transpose.

Assignee

Andrew Wills

Reporter

Andrew Petro

Labels

Estimated End Date

None

Components

Fix versions

Priority

Blocker
Configure