Vulnerability Details : CVE-2021-44140
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
Products affected by CVE-2021-44140
- cpe:2.3:a:apache:jspwiki:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-44140
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-44140
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
CWE ids for CVE-2021-44140
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-44140
-
https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t
[CVE-2021-44140] Apache JSPWiki Arbitrary file deletion on logout-Apache Mail ArchivesMailing List;Vendor Advisory
-
https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140
JSPWiki: CVE-2021-44140Vendor Advisory
Jump to