Miggo Logo
Miggo Vulnerability Database
CVE-2021-44140

CVE-2021-44140: Incorrect Default Permissions in Apache JSPWiki

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-44140
GHSA ID
GHSA-8gw6-w5rw-4g5c
EPSS Score
0.91617%
CWE
CWE-276
Published
11/29/2021
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.jspwiki:jspwiki-mainmaven< 2.11.02.11.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly ties the exploit to crafted HTTP requests during logout. This suggests the logout handler (e.g., LogoutAction) processes parameters that influence file operations. The CWE-276 (Incorrect Default Permissions) implies the function does not validate user input sufficiently before using it in file deletion operations. While the exact code isn't provided, the linkage between logout requests and arbitrary file deletion strongly points to the logout handler's core method (e.g., perform() in LogoutAction) as the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R*mot* *tt**k*rs m*y **l*t* *r*itr*ry *il*s in * syst*m *ostin* * JSPWiki inst*n**, v*rsions up to *.**.*.M*, *y usin* * **r**uly *r**t** *ttp r*qu*st on lo*out, *iv*n t**t t*os* *il*s *r* r******l* to t** us*r runnin* t** JSPWiki inst*n**. *p**** JS

Reasoning

T** vuln*r**ility **s*ription *xpli*itly ti*s t** *xploit to *r**t** *TTP r*qu*sts *urin* lo*out. T*is su***sts t** lo*out **n*l*r (*.*., `Lo*out**tion`) pro**ss*s p*r*m*t*rs t**t in*lu*n** *il* op*r*tions. T** *W*-*** (In*orr**t ****ult P*rmissions)