CVE-2014-3416 MANAGE[-*] permissions not enforced

Description

CVE-2014-3416 : Manage permissions ineffectual. Any user with SUBSCRIBE on portlet-admin can MANAGE any portlet through URL manipulation. MANAGE permission only filters what portlets are listed in the UI but does not prevent user from managing portlets.

More information about this vulnerability and how you can address it locally is at

https://gist.github.com/apetro/e49ece2ebc8ef0bdb31f

Environment

None

Assignee

Andrew Wills

Reporter

Andrew Petro

Labels

Estimated End Date

None

Components

Fix versions

Priority

Blocker
Configure