Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2013-0314
Vulnerability from cvelistv5
Published
2013-04-12 22:00
Modified
2024-08-06 14:25
Severity ?
EPSS score ?
Summary
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:25:09.030Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"name": "52552",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/52552"
},
{
"name": "91120",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/91120"
},
{
"name": "RHSA-2013:0613",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2013-04-12T22:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"name": "52552",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/52552"
},
{
"name": "91120",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/91120"
},
{
"name": "RHSA-2013:0613",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0314",
"datePublished": "2013-04-12T22:00:00Z",
"dateReserved": "2012-12-06T00:00:00Z",
"dateUpdated": "2024-08-06T14:25:09.030Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-0314\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-04-12T22:55:01.163\",\"lastModified\":\"2024-11-21T01:47:17.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.\"},{\"lang\":\"es\",\"value\":\"El gadget GateIn Portal de exportaci\u00f3n/importaci\u00f3n en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticaci\u00f3n al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0613.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/52552\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/91120\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=913327\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0613.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/52552\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/91120\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=913327\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
gsd-2013-0314
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-0314",
"description": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"id": "GSD-2013-0314",
"references": [
"https://access.redhat.com/errata/RHSA-2013:0613"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2013-0314"
],
"details": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"id": "GSD-2013-0314",
"modified": "2023-12-13T01:22:15.029729Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0314",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2013-0613.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
},
{
"name": "http://secunia.com/advisories/52552",
"refsource": "MISC",
"url": "http://secunia.com/advisories/52552"
},
{
"name": "http://www.osvdb.org/91120",
"refsource": "MISC",
"url": "http://www.osvdb.org/91120"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=913327",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0314"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=913327",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"name": "RHSA-2013:0613",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
},
{
"name": "52552",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52552"
},
{
"name": "91120",
"refsource": "OSVDB",
"tags": [],
"url": "http://www.osvdb.org/91120"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-04-15T04:00Z",
"publishedDate": "2013-04-12T22:55Z"
}
}
}
RHSA-2013:0613
Vulnerability from csaf_redhat
Published
2013-03-07 18:54
Modified
2024-11-22 06:19
Summary
Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update
Notes
Topic
An update for the GateIn Portal component in JBoss Enterprise Portal
Platform 5.2.2 that fixes two security issues is now available from the
Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
JBoss Enterprise Portal Platform is the open source implementation of the
Java EE suite of services and Portal services running atop JBoss Enterprise
Application Platform. It comprises a set of offerings for enterprise
customers who are looking for pre-configured profiles of JBoss Enterprise
Middleware components that have been tested and certified together to
provide an integrated experience.
It was found that the GateIn Portal export/import gadget allowed an export
ZIP to be uploaded and imported to a site without authentication. A remote
attacker could use this flaw to modify the contents of a site, remove the
site, or modify access controls applied to portlets in the site.
(CVE-2013-0314)
It was found that the GateIn Portal export/import gadget was vulnerable to
XXE (XML External Entity) attacks. If the XML provided to the import gadget
contained an external XML entity, this XML entity would be resolved. A
remote attacker who can access the import gadget could use this flaw to
read files in the context of the user running the application server.
(CVE-2013-0315)
The CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and
CVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red
Hat Security Response Team.
Warning: Before applying this update, back up all applications deployed on
JBoss Enterprise Portal Platform, along with all customized configuration
files, and any databases and database settings.
All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the
Red Hat Customer Portal are advised to install this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0613",
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:19:12+00:00",
"generator": {
"date": "2024-11-22T06:19:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0613",
"initial_release_date": "2013-03-07T18:54:00+00:00",
"revision_history": [
{
"date": "2013-03-07T18:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-03-07T19:07:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:19:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Nick Scavelli"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0314",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913327"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: remote unauthenticated site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0314"
},
{
"category": "external",
"summary": "RHBZ#913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Portal: remote unauthenticated site import"
},
{
"acknowledgments": [
{
"names": [
"Arun Neelicattu"
]
},
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0315",
"discovery_date": "2013-02-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913340"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: XML eXternal Entity (XXE) flaw in site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0315"
},
{
"category": "external",
"summary": "RHBZ#913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Portal: XML eXternal Entity (XXE) flaw in site import"
}
]
}
rhsa-2013:0613
Vulnerability from csaf_redhat
Published
2013-03-07 18:54
Modified
2024-11-22 06:19
Summary
Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update
Notes
Topic
An update for the GateIn Portal component in JBoss Enterprise Portal
Platform 5.2.2 that fixes two security issues is now available from the
Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
JBoss Enterprise Portal Platform is the open source implementation of the
Java EE suite of services and Portal services running atop JBoss Enterprise
Application Platform. It comprises a set of offerings for enterprise
customers who are looking for pre-configured profiles of JBoss Enterprise
Middleware components that have been tested and certified together to
provide an integrated experience.
It was found that the GateIn Portal export/import gadget allowed an export
ZIP to be uploaded and imported to a site without authentication. A remote
attacker could use this flaw to modify the contents of a site, remove the
site, or modify access controls applied to portlets in the site.
(CVE-2013-0314)
It was found that the GateIn Portal export/import gadget was vulnerable to
XXE (XML External Entity) attacks. If the XML provided to the import gadget
contained an external XML entity, this XML entity would be resolved. A
remote attacker who can access the import gadget could use this flaw to
read files in the context of the user running the application server.
(CVE-2013-0315)
The CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and
CVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red
Hat Security Response Team.
Warning: Before applying this update, back up all applications deployed on
JBoss Enterprise Portal Platform, along with all customized configuration
files, and any databases and database settings.
All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the
Red Hat Customer Portal are advised to install this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0613",
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:19:12+00:00",
"generator": {
"date": "2024-11-22T06:19:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0613",
"initial_release_date": "2013-03-07T18:54:00+00:00",
"revision_history": [
{
"date": "2013-03-07T18:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-03-07T19:07:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:19:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Nick Scavelli"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0314",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913327"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: remote unauthenticated site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0314"
},
{
"category": "external",
"summary": "RHBZ#913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Portal: remote unauthenticated site import"
},
{
"acknowledgments": [
{
"names": [
"Arun Neelicattu"
]
},
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0315",
"discovery_date": "2013-02-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913340"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: XML eXternal Entity (XXE) flaw in site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0315"
},
{
"category": "external",
"summary": "RHBZ#913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Portal: XML eXternal Entity (XXE) flaw in site import"
}
]
}
rhsa-2013_0613
Vulnerability from csaf_redhat
Published
2013-03-07 18:54
Modified
2024-11-22 06:19
Summary
Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update
Notes
Topic
An update for the GateIn Portal component in JBoss Enterprise Portal
Platform 5.2.2 that fixes two security issues is now available from the
Red Hat Customer Portal.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
JBoss Enterprise Portal Platform is the open source implementation of the
Java EE suite of services and Portal services running atop JBoss Enterprise
Application Platform. It comprises a set of offerings for enterprise
customers who are looking for pre-configured profiles of JBoss Enterprise
Middleware components that have been tested and certified together to
provide an integrated experience.
It was found that the GateIn Portal export/import gadget allowed an export
ZIP to be uploaded and imported to a site without authentication. A remote
attacker could use this flaw to modify the contents of a site, remove the
site, or modify access controls applied to portlets in the site.
(CVE-2013-0314)
It was found that the GateIn Portal export/import gadget was vulnerable to
XXE (XML External Entity) attacks. If the XML provided to the import gadget
contained an external XML entity, this XML entity would be resolved. A
remote attacker who can access the import gadget could use this flaw to
read files in the context of the user running the application server.
(CVE-2013-0315)
The CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and
CVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red
Hat Security Response Team.
Warning: Before applying this update, back up all applications deployed on
JBoss Enterprise Portal Platform, along with all customized configuration
files, and any databases and database settings.
All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the
Red Hat Customer Portal are advised to install this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:0613",
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
},
{
"category": "external",
"summary": "913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
}
],
"title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
"tracking": {
"current_release_date": "2024-11-22T06:19:12+00:00",
"generator": {
"date": "2024-11-22T06:19:12+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2013:0613",
"initial_release_date": "2013-03-07T18:54:00+00:00",
"revision_history": [
{
"date": "2013-03-07T18:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-03-07T19:07:17+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:19:12+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Portal 5.2",
"product": {
"name": "Red Hat JBoss Portal 5.2",
"product_id": "Red Hat JBoss Portal 5.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Middleware"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Nick Scavelli"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0314",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2013-02-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913327"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: remote unauthenticated site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0314"
},
{
"category": "external",
"summary": "RHBZ#913327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "Portal: remote unauthenticated site import"
},
{
"acknowledgments": [
{
"names": [
"Arun Neelicattu"
]
},
{
"names": [
"David Jorm"
],
"organization": "Red Hat Security Response Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-0315",
"discovery_date": "2013-02-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "913340"
}
],
"notes": [
{
"category": "description",
"text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "Portal: XML eXternal Entity (XXE) flaw in site import",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Portal 5.2"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-0315"
},
{
"category": "external",
"summary": "RHBZ#913340",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
}
],
"release_date": "2013-03-07T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-03-07T18:54:00+00:00",
"details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
"product_ids": [
"Red Hat JBoss Portal 5.2"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:0613"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"Red Hat JBoss Portal 5.2"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "Portal: XML eXternal Entity (XXE) flaw in site import"
}
]
}
fkie_cve-2013-0314
Vulnerability from fkie_nvd
Published
2013-04-12 22:55
Modified
2024-11-21 01:47
Severity ?
Summary
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | jboss_enterprise_portal_platform | 5.2.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
},
{
"lang": "es",
"value": "El gadget GateIn Portal de exportaci\u00f3n/importaci\u00f3n en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticaci\u00f3n al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets."
}
],
"id": "CVE-2013-0314",
"lastModified": "2024-11-21T01:47:17.343",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-04-12T22:55:01.163",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52552"
},
{
"source": "secalert@redhat.com",
"url": "http://www.osvdb.org/91120"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/52552"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/91120"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
ghsa-5gr9-q682-676m
Vulnerability from github
Published
2022-05-05 02:48
Modified
2022-05-05 02:48
Details
The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.
{
"affected": [],
"aliases": [
"CVE-2013-0314"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-04-12T22:55:00Z",
"severity": "HIGH"
},
"details": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
"id": "GHSA-5gr9-q682-676m",
"modified": "2022-05-05T02:48:46Z",
"published": "2022-05-05T02:48:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
},
{
"type": "WEB",
"url": "http://secunia.com/advisories/52552"
},
{
"type": "WEB",
"url": "http://www.osvdb.org/91120"
}
],
"schema_version": "1.4.0",
"severity": []
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.