CVE-2021-44140
Published on: Not Yet Published
Last Modified on: 11/29/2021 02:42:00 PM UTC
Certain versions of Jspwiki from Apache contain the following vulnerability:
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
- CVE-2021-44140 has been assigned by
[email protected] to track the vulnerability - currently rated as CRITICAL severity.
- Affected Vendor/Software:
Apache Software Foundation - Apache JSPWiki version <= 2.11.0.M8
Vulnerability Patch/Work Around
- Apache JSPWiki users should upgrade to 2.11.0 or later.
CVSS3 Score: 9.1 - CRITICAL
Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
---|---|---|---|
NETWORK | LOW | NONE | NONE |
Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
UNCHANGED | NONE | HIGH | HIGH |
CVSS2 Score: 6.4 - MEDIUM
Access Vector ⓘ |
Access Complexity |
Authentication |
---|---|---|
NETWORK | LOW | NONE |
Confidentiality Impact |
Integrity Impact |
Availability Impact |
NONE | PARTIAL | PARTIAL |
CVE References
Description | Tags ⓘ | Link |
---|---|---|
No Description Provided | lists.apache.org text/html |
![]() |
JSPWiki: CVE-2021-44140 | jspwiki-wiki.apache.org text/html |
![]() |
Related QID Numbers
- 980003 Java (maven) Security Update for org.apache.jspwiki:jspwiki-main (GHSA-8gw6-w5rw-4g5c)
Known Affected Configurations (CPE V2.3)
Type | Vendor | Product | Version | Update | Edition | Language |
---|---|---|---|---|---|---|
Application | Apache | Jspwiki | All | All | All | All |
- cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*:
Discovery Credit
Apache JSPWiki would like to thank haby0 ([email protected]) from Duxiaoman Financial Security Team for discovering and proposing the fix for this issue.
Social Mentions
Source | Title | Posted (UTC) |
---|---|---|
![]() |
[CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout: Posted by Juan Pablo Santos Rodríguez on Nov 23S… twitter.com/i/web/status/1… | 2021-11-24 02:30:09 |
![]() |
jspwiki CVE-2021-44140 https://t.co/FPDho3zHY6 | 2021-11-24 08:59:56 |
![]() |
CVE-2021-44140 : Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to… twitter.com/i/web/status/1… | 2021-11-24 11:19:46 |