{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-08-04T00:00:00", "descriptions": [{"lang": "en", "value": "The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2015-08-11T13:57:04", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2015:1543", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1543.html"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:07.566Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2015:1543", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1543.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5176", "datePublished": "2015-08-11T14:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:07.566Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:jboss_portal:6.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "EE316DBF-6753-41A1-947B-1CA6184FC505", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource."}, {"lang": "es", "value": "Vulnerabilidad en PortletRequestDispatcher en PortletBridge, tal como se utiliza en Red Hat JBoss Portal versi\u00f3n 6.2.0, no hace cumplir adecuadamente las restricciones de seguridad de servlets, lo que permite a atacantes remotos obtener el acceso a los recursos a trav\u00e9s de una petici\u00f3n que solicita hacer uso de un recurso no JSF."}], "id": "CVE-2015-5176", "lastModified": "2015-08-11T18:08:43.107", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-08-11T14:59:11.557", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1543.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-17"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Liferay, Inc. for reporting this issue.", "affected_release": [{"advisory": "RHSA-2015:1543", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package": "portlet", "product_name": "Red Hat JBoss Portal 6.2", "release_date": "2015-08-04T00:00:00Z"}], "bugzilla": {"description": "PortletBridge: information disclosure via auto-dispatching of non-JSF resources", "id": "1244835", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1244835"}, "csaw": false, "cvss": {"cvss_base_score": "4.9", "cvss_scoring_vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "status": "verified"}, "cwe": "CWE-284", "details": ["The PortletRequestDispatcher in PortletBridge, as used in Red Hat JBoss Portal 6.2.0, does not properly enforce the security constraints of servlets, which allows remote attackers to gain access to resources via a request that asks to render a non-JSF resource.", "It was found that PortletBridge PortletRequestDispatcher did not respect security constraints set by the servlet if a portlet request asked for rendering of a non-JSF resource such as JSP or HTML. A remote attacker could use this flaw to potentially bypass certain security constraints and gain access to restricted resources."], "name": "CVE-2015-5176", "public_date": "2015-08-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5176\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5176"], "threat_severity": "Moderate"}