Miggo Logo

CVE-2021-43807: HTTP Method Spoofing

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.59183%
Published
12/14/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.opencastproject:opencast-commonmaven< 9.109.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the use of an outdated Apache CXF dependency (version <3.4.3) that allowed HTTP method spoofing via the '_method' parameter. The patches (commits 59cb673 and 8f8271e) only update the CXF version in 'pom.xml' files, indicating the vulnerability resided in CXF's internal request handling logic, not in Opencast's own code. No specific functions within the 'opencast-common' package were modified or identified as directly implementing the vulnerable behavior. The issue was mitigated by updating the library dependency rather than modifying application code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n**st v*rsions prior to *.** *llow *TTP m*t*o* spoo*in*, *llowin* to ***n** t** *ssum** *TTP m*t*o* vi* URL p*r*m*t*r. T*is *llows *tt**k*rs to turn *TTP **T r*qu*sts into PUT r*qu*sts or *n *TTP *orm to s*n* **L*T* r*qu*sts. T*is *yp*ss*s r*stri

Reasoning

T** vuln*r**ility st*ms *rom t** us* o* *n out**t** *p**** *X* **p*n**n*y (v*rsion <*.*.*) t**t *llow** *TTP m*t*o* spoo*in* vi* t** '_m*t*o*' p*r*m*t*r. T** p*t***s (*ommits `*******` *n* `*******`) only up**t* t** *X* v*rsion in 'pom.xml' *il*s, in