oss-sec mailing list archives

CVE Request - Webproxy Portlet - cross-user cache over-hits

From: Andrew W Petro <andrew.petro () wisc edu>
Date: Wed, 16 Nov 2016 14:19:42 +0000

Hi,

Apereo (previously, Jasig) Webproxy Portlet v2 prior to v2.2.2 is bugged such that it uses too little information in 
computing cache keys. In some circumstances this results in users seeing cached content intended for and personalized 
to other users. Apereo tracks this issue as WPP-101 .

Adopters should immediately upgrade to v2.2.2, which simply removes the inappropriate caching behavior while otherwise 
remaining backwards-compatible.

Please assign a CVE-ID to this issue.

More information:

+ https://apereo.github.io/2016/11/14/web-proxy-overcaching/
+ https://issues.jasig.org/browse/WPP-101
+ https://groups.google.com/a/apereo.org/d/topic/uportal-dev/0XpSvhjmgDo/discussion
+ https://groups.google.com/a/apereo.org/d/topic/uportal-user/uGvdHC97AS0/discussion

Kind regards,

Andrew

Current thread:

CVE Request - Webproxy Portlet - cross-user cache over-hits Andrew W Petro (Nov 16)
- Re: CVE Request - Webproxy Portlet - cross-user cache over-hits Andrew W Petro (Dec 06)