cbcvebase.
CVE-2021-44138
published 2022-04-04

CVE-2021-44138: There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 - 4.0.56, which allows remote attackers to read files in arbitrary…

PriorityP263high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
14.12%
96.1th percentile
There is a Directory traversal vulnerability in Caucho Resin, as distributed in Resin 4.0.52 - 4.0.56, which allows remote attackers to read files in arbitrary directories via a ; in a pathname within an HTTP request.

Affected

1 ranges
VendorProductVersion rangeFixed in
cauchoresin4.0.52 – 4.0.56

Detection & IOCsextracted from sources · hover to see the quote

sigma
detection:
  selection:
    http.uri|contains: ';'
  filter:
    http.uri|contains:
      - '.jsp'
      - '.jspx'
  condition: selection
  • Directory traversal is triggered by injecting a semicolon (;) into the URI path within an HTTP request to Caucho Resin. Monitor HTTP requests to Resin servers for URIs containing semicolons combined with path traversal sequences (e.g., ../).
  • Successful exploitation responses return HTTP 200 with Content-Type of text/xml or application/xml. Correlate 200 responses containing XML content-types to traversal-pattern URIs on Resin servers.
  • Affected versions are Resin 4.0.52 through 4.0.56. Prioritize detection on hosts running these specific Resin versions.
  • ·The vulnerability affects only Resin versions 4.0.52 through 4.0.56. Detection rules should be scoped to these versions to reduce false positives.
  • ·The Nuclei template uses an AND condition combining the semicolon-in-path check, XML content-type in response header, and HTTP 200 status. All three conditions must be met for a confirmed hit; tuning any single condition alone will increase false positive rate.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.