{"api_version":"1","generated_at":"2026-04-21T10:53:00+00:00","cve":"CVE-2021-40684","urls":{"html":"https://cve.report/CVE-2021-40684","api":"https://cve.report/api/cve/CVE-2021-40684.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-40684","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-40684"},"summary":{"title":"CVE-2021-40684","description":"Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-09-22 17:15:00","updated_at":"2022-07-12 17:42:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://jira.talendforge.org/browse/SF-141","name":"https://jira.talendforge.org/browse/SF-141","refsource":"MISC","tags":[],"title":"[SF-141] [CVE-2021-40684] - Talend ESB Runtime deploys unauthenticated Jolokia by default - Talend Open Integration Solution","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://help.talend.com/r/en-US/7.3/release-notes-esb-products","name":"https://help.talend.com/r/en-US/7.3/release-notes-esb-products","refsource":"MISC","tags":[],"title":"Welcome to Talend Help Center","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-40684","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-40684","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"40684","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"talend","cpe5":"esb_runtime","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-40684","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://help.talend.com/r/en-US/7.3/release-notes-esb-products","refsource":"MISC","name":"https://help.talend.com/r/en-US/7.3/release-notes-esb-products"},{"refsource":"MISC","name":"https://jira.talendforge.org/browse/SF-141","url":"https://jira.talendforge.org/browse/SF-141"}]}},"nvd":{"publishedDate":"2021-09-22 17:15:00","lastModifiedDate":"2022-07-12 17:42:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:talend:esb_runtime:*:*:*:*:*:*:*:*","versionStartIncluding":"5.1","versionEndExcluding":"7.1.1-r2021-09","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"40684","Ordinal":"216436","Title":"CVE-2021-40684","CVE":"CVE-2021-40684","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"40684","Ordinal":"1","NoteData":"Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in the container.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"40684","Ordinal":"2","NoteData":"2021-09-22","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"40684","Ordinal":"3","NoteData":"2021-09-22","Type":"Other","Title":"Modified"}]}}}