CVE-2021-44140 — Incorrect Default Permissions in Apache JSPWiki

Description

Remote attackers may delete arbitrary files in a system hosting a JSPWiki instance, versions up to 2.11.0.M8, by using a carefuly crafted http request on logout, given that those files are reachable to the user running the JSPWiki instance. Apache JSPWiki users should upgrade to 2.11.0 or later.

How to fix CVE-2021-44140

To remediate CVE-2021-44140, upgrade the affected package to a fixed version below.

—upgrade to 2.11.0 or later

Is CVE-2021-44140 being exploited?

Moderate — EPSS is 5.9%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 2.11.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-44140
PATCHgithub.com/apache/jspwiki
WEBjspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-44140
WEBlists.apache.org/thread/5qglpjdhvobppx7j550lf1sk28f6011t