{"api_version":"1","generated_at":"2026-04-23T01:31:44+00:00","cve":"CVE-2015-3244","urls":{"html":"https://cve.report/CVE-2015-3244","api":"https://cve.report/api/cve/CVE-2015-3244.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2015-3244","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2015-3244"},"summary":{"title":"CVE-2015-3244","description":"The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2015-07-16 11:00:00","updated_at":"2016-11-28 19:23:00"},"problem_types":["CWE-264"],"metrics":[],"references":[{"url":"http://rhn.redhat.com/errata/RHSA-2015-1226.html","name":"RHSA-2015:1226","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html","name":"http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html","refsource":"CONFIRM","tags":[],"title":"Oracle Critical Patch Update - July 2015","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1232908","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1232908","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"1232908 – (CVE-2015-3244) CVE-2015-3244 JSF: Information disclosure due to missing access restriction in portlet resource dispatching","mime":"text/html","httpstatus":"200","archivestatus":"503"},{"url":"http://www.securityfocus.com/bid/75941","name":"75941","refsource":"BID","tags":[],"title":"Portlet Bridge for JavaServer Faces CVE-2015-3244 Information Disclosure Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2015-3244","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-3244","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2015","cve_id":"3244","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_portal_platform","cpe6":"6.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2015","cve_id":"3244","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"jboss_enterprise_portal_platform","cpe6":"6.2.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2015-3244","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html","refsource":"MISC","name":"http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html"},{"url":"http://rhn.redhat.com/errata/RHSA-2015-1226.html","refsource":"MISC","name":"http://rhn.redhat.com/errata/RHSA-2015-1226.html"},{"url":"http://www.securityfocus.com/bid/75941","refsource":"MISC","name":"http://www.securityfocus.com/bid/75941"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1232908","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1232908"}]}},"nvd":{"publishedDate":"2015-07-16 11:00:00","lastModifiedDate":"2016-11-28 19:23:00","problem_types":["CWE-264"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":4.9},"severity":"MEDIUM","exploitabilityScore":6.8,"impactScore":4.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:6.2.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2015","CveId":"3244","Ordinal":"80197","Title":"CVE-2015-3244","CVE":"CVE-2015-3244","Year":"2015"},"notes":[{"CveYear":"2015","CveId":"3244","Ordinal":"1","NoteData":"The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID.","Type":"Description","Title":null},{"CveYear":"2015","CveId":"3244","Ordinal":"2","NoteData":"2015-07-16","Type":"Other","Title":"Published"},{"CveYear":"2015","CveId":"3244","Ordinal":"3","NoteData":"2016-11-25","Type":"Other","Title":"Modified"}]}}}