CVE-2014-3417. For portlets that have a CONFIG mode, any user who can SUBSCRIBE the portlet can CONFIG it without having to have the CONFIG permission on that portlet entity that ought to be required.
More information on this vulnerability and how you can address it locally is at
Addressed in the forthcoming 18.104.22.168 release in not-yet-pushed de2acd1d613980d0540df8e2f7babf0e6281dc96 . Addressed for 4.0.14 and for master in a not-yet-pushed commit.
Bumping JIRA issue to "Resolved" so the generated 22.214.171.124 release notes look right.
Correct CVE identifier digit transpose.