{"id":"CVE-2021-34427","details":"In Eclipse BIRT versions 4.8.0 and earlier, an attacker can use query parameters to create a JSP file which is accessible from remote (current BIRT viewer dir) to inject JSP code into the running instance.","modified":"2026-04-10T04:34:34.874056Z","published":"2021-06-25T19:15:09.880Z","references":[{"type":"FIX","url":"https://bugs.eclipse.org/bugs/show_bug.cgi?id=538142"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/170326/Eclipse-Business-Intelligence-Reporting-Tool-4.11.0-Remote-Code-Execution.html"},{"type":"EVIDENCE","url":"http://seclists.org/fulldisclosure/2022/Dec/30"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/birt","events":[{"introduced":"0"},{"last_affected":"758df0fb8d048cce195a711cb2f51569c35f3c88"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.8.0"}]}}],"versions":["BIRT_2_0_Release_20060123","BIRT_3_7_1_RC1_201108161621","BIRT_3_7_1_RC2_201108292127","BIRT_3_7_1_RC3_201109051820","BIRT_3_7_1_Release_201109131734","BIRT_3_7_2_RC1_201201171144","BIRT_3_7_2_Release_201202141408","BIRT_4_3_0_Release_201306131152","BIRT_4_3_1_RC2_201309031312","BIRT_4_3_1_RC3_201309092207","BIRT_4_3_1_Release_201309181142","BIRT_4_3_2_Release_201402191316","BIRT_4_4_0_RC1_201405211030","BIRT_4_4_0_RC2_201405281057","BIRT_4_4_0_Release_201406111043","BIRT_4_5_0_RC4_201506092134","BIRT_4_5_0_Release_201506092134","BIRT_4_5_1_Release_201506092134","BIRT_4_6_0_Release_201606072112","BIRT_4_8_0_Release_201806261756","v200705101451","v20110803","v20110815","v20110905","v201110281843","v20120117","v20120213","v201208211204","v201208231223","v201208291456","v201208291607","v201208301143","v201209041636","v201209060505","v201209060743","v201209061114","v201209061119","v201209071804","v201209081329","v201209101219","v201209101448","v201209101614","v201209101712","v201209111026","v201209111701","v201209121047","v201209121203","v201209121206","v201209121213","v201210311502","v201211070211","v201211121517","v201211201109","v201211211442","v201211261349","v201212061403","v201212061546","v201212131704","v201212171552","v201212191626","v201212201125","v201212211615","v201212241449","v201212271608","v201301041109","v201301041534","v201301051556","v201301071801","v201301091119","v201301091129","v201301101706","v201301141601","v201301151528","v201301151658","v201301161630","v201301161710","v201301181657","v201301211803","v201301221637","v201302221451","v201302281614","v201303041525","v201303111125","v201303121119","v201303270223","v201303271507","v201303281546","v201304031124","v201304091549","v201305221129","v201305241042","v201305290957","v201305291155","v201305291555","v201305311832","v201306031409","v201306031803","v201308301349","v201309021618","v201309021722","v201309031220","v201309031242","v201309081955","v201309091742","v201309131458","v201309161141","v201309171028","v201309222030","v201310240236","v20140211-1400","v201402141300","v201402232139","v201403071303","v201403101002","v201403101018","v201403111256","v201405161656","v201405191524","v201411051741","v201411061701","v201411071527","v201411071655","v201411141154","v201411141524","v201411141525","v201411181632","v201411181634","v201411211514","v201412081016","v201412081440","v201412151637","v201412161149","v201412161714","v201412171515","v201412171534","v201501061718","v201501081716","v201501221215","v201502041715","v201502091702","v201504141336","v201504231733","v201504240905","v201504271033","v201505050958","v201505051415","v201505061331","v201505061401"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-34427.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}