CVE-2015-3244

CWE-264 CWE-862 — Missing Authorization CWE-200 — Information Exposure6 documents5 sources

Severity

4.9MEDIUM

EPSS

0.3%

top 49.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Portal Platform

Timeline

PublishedJul 16

Latest updateMay 17

Description

The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 6.8 | Impact: 4.9

Affected Packages1 packages

▶NVDredhat/jboss_enterprise_portal_platform6.2.0

🔴Vulnerability Details

GHSA

GHSA-3c2g-fm84-g225: The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6↗2022-05-17

▶

CVEList

CVE-2015-3244: The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6↗2015-07-16

▶

📋Vendor Advisories

Red Hat

JSF: Information disclosure due to missing access restriction in portlet resource dispatching↗2015-07-14

▶

💬Community

Bugzilla

CVE-2015-3244 JSF: Information disclosure due to missing access restriction in portlet resource dispatching↗2015-06-17

▶

Bugzilla

CVE-2015-3011 CVE-2015-3012 CVE-2015-3013 owncloud: various flaws fixed in 7.0.5↗2015-05-04

▶