cbcvebase.
CVE-2021-34427
published 2021-06-25

CVE-2021-34427: In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir)…

PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
57.71%
99.0th percentile
In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.

Affected

2 ranges
VendorProductVersion rangeFixed in
eclipsebusiness_intelligence_and_reporting_tools<= 4.8.0
the_eclipse_foundationeclipse_birtunspecified – 4.8.0

Detection & IOCsextracted from sources · hover to see the quote

url/document?__report=test.rptdesign&sample={{url_encode(payload)}}&__document=./test/{{filename}}.jsp/.
path./test/{{filename}}.jsp/.
sigma
shodan-query: 'http.title:"eclipse birt home"'
  • Look for HTTP GET requests to the /document endpoint with both __report and __document query parameters, where __document contains a path ending in .jsp/. (dot-slash-dot path traversal trick to create a JSP file).
  • A successful first-stage exploitation produces the response string 'The report document file has been generated successfully.' — monitor for this in HTTP response bodies alongside .jsp file creation in the BIRT viewer directory.
  • After JSP file creation, attackers issue a follow-up GET request directly to the newly created JSP file under the /test/ path. Detect sequential requests: first to /document with a .jsp/__document parameter, then to /test/<random>.jsp.
  • The exploit requires exactly two HTTP requests (max-request: 2): the first creates the malicious JSP via crafted query parameters, the second fetches and executes it. Correlate these two requests in access logs.
  • Identify Eclipse BIRT instances exposed on the internet using the Shodan dork 'http.title:"eclipse birt home"' to scope vulnerable assets.
  • ·The vulnerability only affects Eclipse BIRT instances that ship the viewer component. Red Hat Enterprise Linux 6 packages of eclipse-birt are NOT affected because the viewer component is not included.
  • ·The attack is unauthenticated (PR:N, UI:N) and exploitable over the network (AV:N, AC:L), meaning no credentials or user interaction are required — any internet-exposed BIRT viewer ≤4.8.0 is at risk.
  • ·The malicious JSP file is written into the current BIRT viewer directory (./test/ relative path), so the web server process must have write permissions to that directory for exploitation to succeed.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.