Critical Vulnerability Information CVE ID: CVE-2016-2171 Vulnerability Description: Jetspeed User Manager REST service is not restricted by the Jetspeed security framework. Severity: Important Vulnerability Details Vendor: The Apache Software Foundation Affected Versions: Jetspeed 2.3.0 Description: - The Jetspeed User Manager service is vulnerable to unauthorized access. - The following APIs are not protected by Jetspeed Security: - GET http://host/jetspeed/services/usermanager/users/ - GET http://host/jetspeed/services/usermanager/users/{name}/ - POST http://host/jetspeed/services/usermanager/users/{name}/ - POST http://host/jetspeed/services/usermanager/users/ - DELETE http://host/jetspeed/services/usermanager/users/{name}/ - In the upcoming 2.3.1 release, these URLs will be secured via Jetspeed Security and will require administrative privileges. Mitigation Users running version 2.3.0 should upgrade to version 2.3.1. Acknowledgments This issue was discovered by Andreas Lindh. References http://tomcat.apache.org/security.html