CVE-2021-34427
published 2021-06-25CVE-2021-34427: In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir)…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
57.71%
99.0th percentile
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | business_intelligence_and_reporting_tools | <= 4.8.0 | — |
| the_eclipse_foundation | eclipse_birt | unspecified – 4.8.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/document?__report=test.rptdesign&sample={{url_encode(payload)}}&__document=./test/{{filename}}.jsp/.
path./test/{{filename}}.jsp/.
sigma
shodan-query: 'http.title:"eclipse birt home"'
- →Look for HTTP GET requests to the /document endpoint with both __report and __document query parameters, where __document contains a path ending in .jsp/. (dot-slash-dot path traversal trick to create a JSP file).
- →A successful first-stage exploitation produces the response string 'The report document file has been generated successfully.' — monitor for this in HTTP response bodies alongside .jsp file creation in the BIRT viewer directory.
- →After JSP file creation, attackers issue a follow-up GET request directly to the newly created JSP file under the /test/ path. Detect sequential requests: first to /document with a .jsp/__document parameter, then to /test/<random>.jsp.
- →The exploit requires exactly two HTTP requests (max-request: 2): the first creates the malicious JSP via crafted query parameters, the second fetches and executes it. Correlate these two requests in access logs.
- →Identify Eclipse BIRT instances exposed on the internet using the Shodan dork 'http.title:"eclipse birt home"' to scope vulnerable assets.
- ·The vulnerability only affects Eclipse BIRT instances that ship the viewer component. Red Hat Enterprise Linux 6 packages of eclipse-birt are NOT affected because the viewer component is not included. ↗
- ·The attack is unauthenticated (PR:N, UI:N) and exploitable over the network (AV:N, AC:L), meaning no credentials or user interaction are required — any internet-exposed BIRT viewer ≤4.8.0 is at risk.
- ·The malicious JSP file is written into the current BIRT viewer directory (./test/ relative path), so the web server process must have write permissions to that directory for exploitation to succeed. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
eclipse-birt: an attacker can use query parameters to create a JSP file and inject JSP code into the running instance
vendor_redhat·2018-08-22·CVSS 9.8
CVE-2021-34427 [CRITICAL] CWE-20 eclipse-birt: an attacker can use query parameters to create a JSP file and inject JSP code into the running instance
eclipse-birt: an attacker can use query parameters to create a JSP file and inject JSP code into the running instance
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
A flaw was found in eclipse-birt. An attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: This flaw does not affect eclipse-birt as shipped with Red Hat Enterprise Linux 6 because the vulnerable component of birt is not shipped; the shipped
GHSA
GHSA-c7m8-c6v2-pxw4: In Eclipse BIRT versions 4
ghsa_unreviewed·2022-05-24
CVE-2021-34427 [CRITICAL] CWE-20 GHSA-c7m8-c6v2-pxw4: In Eclipse BIRT versions 4
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
VulnCheck
eclipse business_intelligence_and_reporting_tools Improper Input Validation
vulncheck·2021·CVSS 9.8
CVE-2021-34427 [CRITICAL] eclipse business_intelligence_and_reporting_tools Improper Input Validation
eclipse business_intelligence_and_reporting_tools Improper Input Validation
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.
Affected: eclipse business_intelligence_and_reporting_tools
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2021-34427
No detection rules found.
Nuclei
Eclipse BIRT Viewer - Remote Code Execution
nuclei·CVSS 9.8
CVE-2021-34427 [CRITICAL] Eclipse BIRT Viewer - Remote Code Execution
Eclipse BIRT Viewer - Remote Code Execution
Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters.
Template:
id: CVE-2021-34427
info:
name: Eclipse BIRT Viewer - Remote Code Execution
author: us3r777,Synacktiv
severity: critical
description: |
Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters.
impact: |
Unauthenticated attackers can create and access malicious JSP files via JSP injection, achieving remote code execution and complete ser
No writeups or analysis indexed.
http://packetstormsecurity.com/files/170326/Eclipse-Business-Intelligence-Reporting-Tool-4.11.0-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2022/Dec/30https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142http://packetstormsecurity.com/files/170326/Eclipse-Business-Intelligence-Reporting-Tool-4.11.0-Remote-Code-Execution.htmlhttp://seclists.org/fulldisclosure/2022/Dec/30https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142
2021-06-25
Published
Exploited in the wild