9.1

CVE-2021-44140

EPSS 5.87%
Veröffentlicht 24.11.2021 12:15:07
Zuletzt bearbeitet 21.11.2024 06:30:25
Quelle security@apache.org
CVE-Watchlists
Login
Unerledigt
Login

Arbitrary file deletion on logout

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Jspwiki Version < 2.11.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	5.87%	0.902

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:N/I:P/A:P

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140

Vendor Advisory

https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2021-44140

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44140

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44140

EUVD