CVE-2021-44140

CWE-276Incorrect Default Permissions4 documents4 sources
Severity
9.1CRITICAL
EPSS
5.9%
top 9.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache JspwikiApache Software Foundation Apache Jspwiki
Timeline
PublishedNov 24
Latest updateNov 29

Description

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages3 packages

NVDapache/jspwiki< 2.11.0
CVEListV5apache_software_foundation/apache_jspwikiApache JSPWiki2.11.0.M8

🔴Vulnerability Details

3
OSV
Incorrect Default Permissions in Apache JSPWiki2021-11-29
GHSA
Incorrect Default Permissions in Apache JSPWiki2021-11-29
CVEList
Arbitrary file deletion on logout2021-11-24
CVE-2021-44140 (CRITICAL CVSS 9.1) | Remote attackers may delete arbitra | cvebase.io