Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04Z3c2LXc1cnctNGc1Y80YMA
Incorrect Default Permissions in Apache JSPWiki
Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.
Permalink: https://github.com/advisories/GHSA-8gw6-w5rw-4g5cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04Z3c2LXc1cnctNGc1Y80YMA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Identifiers: GHSA-8gw6-w5rw-4g5c, CVE-2021-44140
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-44140
- https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140
- https://lists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t
- https://github.com/advisories/GHSA-8gw6-w5rw-4g5c
Affected Packages
maven:org.apache.jspwiki:jspwiki-main
Dependent packages: 8Dependent repositories: 20
Downloads:
Affected Version Ranges: < 2.11.0
Fixed in: 2.11.0
All affected versions:
All unaffected versions: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.12.0, 2.12.1