CVE-2021-44140

CRITICAL9.1EPSS 5.9%

Incorrect Default Permissions in Apache JSPWiki

Published: 11/29/2021Modified: 11/8/2023

Description

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.

Affected packages (1)

Maven/org.apache.jspwiki:jspwiki-mainfrom 0, < 2.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-44140
PATCHhttps://github.com/apache/jspwiki
WEBhttps://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140
WEBhttps://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t