Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2021-44138

CVE-2021-44138:
Path Traversal in Caucho Resin

7.5

CVSS Score

Basic Information

CVE ID
CVE-2021-44138
GHSA ID
GHSA-4w2q-9hp2-vxj5
EPSS Score
-
CWE
CWE-22
Published
4/5/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.caucho:resinmaven>= 4.0.52, <= 4.0.56

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper URI parsing that allows semicolons to bypass path restrictions. Resin's request handling (e.g., UrlDispatcher.service and WebApp.handleRequest) likely processes URIs without properly normalizing or sanitizing semicolons, treating them as valid path separators. This aligns with the attack vector examples (e.g., '/resin-doc/;/WEB-INF/resin-web.xml'), where the semicolon tricks the server into traversing directories. These functions are core to URI resolution in Resin, making them high-confidence candidates.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * *ir**tory tr*v*rs*l vuln*r**ility in **u**o R*sin, *s *istri*ut** in R*sin *.*.** - *.*.**, w*i** *llows r*mot* *tt**k*rs to r*** *il*s in *r*itr*ry *ir**tori*s vi* * ; in * p*t*n*m* wit*in *n *TTP r*qu*st.

Reasoning

T** vuln*r**ility st*ms *rom improp*r URI p*rsin* t**t *llows s*mi*olons to *yp*ss p*t* r*stri*tions. R*sin's r*qu*st **n*lin* (*.*., Url*isp*t***r.s*rvi** *n* W***pp.**n*l*R*qu*st) lik*ly pro**ss*s URIs wit*out prop*rly norm*lizin* or s*nitizin* s*m