CVE-2021-44140
published 2021-11-24CVE-2021-44140: Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on…
PriorityP262critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
EPSS
6.16%
92.6th percentile
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | jspwiki | < 2.11.0 | 2.11.0 |
| apache_software_foundation | apache_jspwiki | Apache JSPWiki – 2.11.0.M8 | — |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect Default Permissions in Apache JSPWiki
osv·2021-11-29
CVE-2021-44140 [CRITICAL] Incorrect Default Permissions in Apache JSPWiki
Incorrect Default Permissions in Apache JSPWiki
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
GHSA
Incorrect Default Permissions in Apache JSPWiki
ghsa·2021-11-29
CVE-2021-44140 [CRITICAL] CWE-276 Incorrect Default Permissions in Apache JSPWiki
Incorrect Default Permissions in Apache JSPWiki
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-11-24
Published