cnvd - cnvd-2021-92465

cnvd-2021-92465

Vulnerability from cnvd

Title: Apache JSPWiki跨站脚本漏洞（CNVD-2021-92465）

Description:

Apache JSPWiki是美国阿帕奇（Apache）基金会的一款基于Java、Servlet和JSP构建的开源WikiWiki引擎。

Apache JSPWiki存在安全漏洞，该漏洞源于精心设计的插件链接调用可能会在 Apache JSPWiki 上触发与 Denounce 插件相关的 XSS 漏洞，攻击者可利用该漏洞在受害者的浏览器中执行javascript 并获取有关受害者的一些敏感信息。

Severity: 中

Patch Name: Apache JSPWiki跨站脚本漏洞（CNVD-2021-92465）的补丁

Patch Description:

Apache JSPWiki是美国阿帕奇（Apache）基金会的一款基于Java、Servlet和JSP构建的开源WikiWiki引擎。

Apache JSPWiki存在安全漏洞，该漏洞源于精心设计的插件链接调用可能会在 Apache JSPWiki 上触发与 Denounce 插件相关的 XSS 漏洞，攻击者可利用该漏洞在受害者的浏览器中执行javascript 并获取有关受害者的一些敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-40369

Impacted products

Name
Apache JSPWiki <2.11.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-40369"
    }
  },
  "description": "Apache JSPWiki\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u3001Servlet\u548cJSP\u6784\u5efa\u7684\u5f00\u6e90WikiWiki\u5f15\u64ce\u3002\n\nApache JSPWiki\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u63d2\u4ef6\u94fe\u63a5\u8c03\u7528\u53ef\u80fd\u4f1a\u5728 Apache JSPWiki \u4e0a\u89e6\u53d1\u4e0e Denounce \u63d2\u4ef6\u76f8\u5173\u7684 XSS \u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript \u5e76\u83b7\u53d6\u6709\u5173\u53d7\u5bb3\u8005\u7684\u4e00\u4e9b\u654f\u611f\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-92465",
  "openTime": "2021-11-30",
  "patchDescription": "Apache JSPWiki\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u57fa\u4e8eJava\u3001Servlet\u548cJSP\u6784\u5efa\u7684\u5f00\u6e90WikiWiki\u5f15\u64ce\u3002\r\n\r\nApache JSPWiki\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7cbe\u5fc3\u8bbe\u8ba1\u7684\u63d2\u4ef6\u94fe\u63a5\u8c03\u7528\u53ef\u80fd\u4f1a\u5728 Apache JSPWiki \u4e0a\u89e6\u53d1\u4e0e Denounce \u63d2\u4ef6\u76f8\u5173\u7684 XSS \u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u53d7\u5bb3\u8005\u7684\u6d4f\u89c8\u5668\u4e2d\u6267\u884cjavascript \u5e76\u83b7\u53d6\u6709\u5173\u53d7\u5bb3\u8005\u7684\u4e00\u4e9b\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache JSPWiki\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-92465\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "Apache JSPWiki \u003c2.11.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-40369",
  "serverity": "\u4e2d",
  "submitTime": "2021-11-25",
  "title": "Apache JSPWiki\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2021-92465\uff09"
}

CVE-2021-40369 (GCVE-0-2021-40369)

Vulnerability from cvelistv5

Published

2021-11-24 11:15

Modified

2024-08-04 02:44

Severity ?

CWE

CVE-2021-40369

Summary

A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later.

References

▼	URL	Tags
	https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369	x_refsource_MISC
	https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2022/08/03/3	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache JSPWiki	Version: Apache JSPWiki <

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T02:44:09.644Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
          },
          {
            "name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache JSPWiki",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.11.0.M8",
              "status": "affected",
              "version": "Apache JSPWiki",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "moderate"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "CVE-2021-40369",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-08-03T23:06:20",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
        },
        {
          "name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "XSS vulnerability on Denounce plugin",
      "workarounds": [
        {
          "lang": "en",
          "value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-40369",
          "STATE": "PUBLIC",
          "TITLE": "XSS vulnerability on Denounce plugin"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache JSPWiki",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "Apache JSPWiki",
                            "version_value": "2.11.0.M8"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Apache JSPWiki would like to thank map1e (root@lazymaple.pw) for discovering this issue."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A carefully crafted plugin link invocation could trigger an XSS vulnerability on Apache JSPWiki, related to the Denounce plugin, which could allow the attacker to execute javascript in the victim\u0027s browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.11.0 or later."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "moderate"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CVE-2021-40369"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369",
              "refsource": "MISC",
              "url": "https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2021-40369"
            },
            {
              "name": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/r2j00nrnpjgcmoxvlv3pgfoq9kzrcsfh"
            },
            {
              "name": "[oss-security] 20220803 CVE-2022-28730: Apache JSPWiki Cross-site scripting vulnerability on AJAXPreview.jsp",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2022/08/03/3"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Apache JSPWiki users should upgrade to 2.11.0 or later. "
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-40369",
    "datePublished": "2021-11-24T11:15:13",
    "dateReserved": "2021-09-01T00:00:00",
    "dateUpdated": "2024-08-04T02:44:09.644Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted