CVE-2014-3417 Any user can Configure any portlet they can SUBSCRIBE

Description

CVE-2014-3417. For portlets that have a CONFIG mode, any user who can SUBSCRIBE the portlet can CONFIG it without having to have the CONFIG permission on that portlet entity that ought to be required.

More information on this vulnerability and how you can address it locally is at

https://gist.github.com/apetro/e56984a85f23d492c9c0

Environment

None

Activity

Show:
Andrew Petro
May 23, 2014, 5:29 PM

Addressed in the forthcoming 4.0.13.1 release in not-yet-pushed de2acd1d613980d0540df8e2f7babf0e6281dc96 . Addressed for 4.0.14 and for master in a not-yet-pushed commit.

Bumping JIRA issue to "Resolved" so the generated 4.0.13.1 release notes look right.

Andrew Petro
May 23, 2014, 8:46 PM

Correct CVE identifier digit transpose.

Assignee

Andrew Petro

Reporter

Andrew Petro

Labels

Estimated End Date

None

Components

Fix versions

Priority

Blocker
Configure