The Java Portlet Specification JSR286 API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. Problem summary: A resource ID string can be set on a resource URL. If a resource ID is present, the default behavior of the GenericPortlet#serveResource method is to dispatch to the resource identified by the resource ID through a request dispatcher. The vulnerability can occur if an attacker manipulates the resource ID field on a resource URL to point to a resource such as a JSP or servlet that the user would not normally be able to access. Security constraints can be bypassed in this manner. Even portlets that do not use resource serving can be vulnerable if the GenericPortlet#serveResource method is not overridden, since an attacker could potentially add a resource ID to a resource URL. The resource ID would be dispatched through the GenericPortlet#serveResource method. Portlets that override the GenericPortlet#serveResource method and either do not call the super.serveResource method or call it only after verifying the resource ID are not vulnerable.
Statement: CVE-2015-1926 did not affect JBoss Portal Platform as provided by Red Hat. For further detail, refer to the knowledge base article at https://access.redhat.com/solutions/1488163