CVE-2015-3244 – JSF: Information disclosure due to missing access restriction in portlet resource dispatching

https://notcve.org/view.php?id=CVE-2015-3244

The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID. El Portlet Bridge para JavaServer Faces en Red Hat JBoss Portal 6.2.0, cuando se utiliza en portlets con el recurso estándar funcionando para el GenericPortlet, no restringe adecuadamente el acceso a los recursos limitados, lo que permite a atacantes remotos obtener información sensible a través de una URL con un recurso ID modificado. It was found that JavaServer Faces PortletBridge-based portlets using GenericPortlet's default resource serving did not restrict access to resources within the web application. An attacker could set the resource ID field of a URL to potentially bypass security constraints and gain access to restricted resources. • http://rhn.redhat.com/errata/RHSA-2015-1226.html http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html http://www.securityfocus.com/bid/75941 https://bugzilla.redhat.com/show_bug.cgi?id=1232908 https://access.redhat.com/security/cve/CVE-2015-3244 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-264: Permissions, Privileges, and Access Controls •