CVE-2021-44140

EPSS 6.73%
Published 24.11.2021 12:15:07
Last modified 21.11.2024 06:30:25
Source security@apache.org
Teams watchlist Login
Open Login

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.

Affected products Warnungen 0 Metrics 3 CWE 1 References 5

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Jspwiki Version < 2.11.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	6.73%	0.909

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:N/I:P/A:P

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140

Vendor Advisory

https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2021-44140

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2021-44140

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2021-44140

EUVD