CVE-2015-5176
PortletBridge: information disclosure via auto-dispatching of non-JSF resources
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource.
Vulnerabilidad en PortletRequestDispatcher en PortletBridge, tal como se utiliza en Red Hat JBoss Portal versión 6.2.0, no hace cumplir adecuadamente las restricciones de seguridad de servlets, lo que permite a atacantes remotos obtener el acceso a los recursos a través de una petición que solicita hacer uso de un recurso no JSF.
It was found that PortletBridge PortletRequestDispatcher did not respect security constraints set by the servlet if a portlet request asked for rendering of a non-JSF resource such as JSP or HTML. A remote attacker could use this flaw to potentially bypass certain security constraints and gain access to restricted resources.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-07-01 CVE Reserved
- 2015-08-04 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-17: DEPRECATED: Code
- CWE-284: Improper Access Control
CAPEC
References (3)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
http://rhn.redhat.com/errata/RHSA-2015-1543.html | 2015-08-11 | |
https://access.redhat.com/security/cve/CVE-2015-5176 | 2015-08-04 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1244835 | 2015-08-04 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Jboss Portal Search vendor "Redhat" for product "Jboss Portal" | 6.2.0 Search vendor "Redhat" for product "Jboss Portal" and version "6.2.0" | - |
Affected
|