Login Sign Up

CVE-2021-40639

7.5 HIGH

📋 TL;DR

This vulnerability in Jfinal CMS 5.1.0 allows attackers to bypass access controls and access sensitive configuration files containing database credentials and system settings. Any organization running the vulnerable version of Jfinal CMS is affected, particularly those with internet-facing installations.

💻 Affected Systems

Products:
  • Jfinal CMS
Versions: 5.1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Jfinal CMS 5.1.0; earlier versions may also be vulnerable but not confirmed.

📦 What is this software?

Jfinal Cms by Jflyfox

View all CVEs affecting Jfinal Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain database credentials leading to full database compromise, data exfiltration, and potential lateral movement to other systems.

🟠

Likely Case

Attackers access sensitive configuration files containing database passwords, potentially leading to data theft or system compromise.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the web application layer only.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only HTTP requests to specific vulnerable endpoints without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.1 or later

Vendor Advisory: https://github.com/jflyfox/jfinal_cms/issues/27

Restart Required: Yes

Instructions:

1. Download latest version from official repository. 2. Backup current installation. 3. Replace vulnerable files with patched version. 4. Restart web server.

🔧 Temporary Workarounds

Block access to vulnerable endpoints

all

Configure web server to block requests to /classes/conf/db.properties and related paths

# Apache: RewriteRule ^/classes/conf/.*\.properties$ - [F]
# Nginx: location ~ ^/classes/conf/.*\.properties$ { return 403; }

🧯 If You Can't Patch

  • Implement strict network access controls to limit access to Jfinal CMS administration interface
  • Monitor and alert on access attempts to sensitive configuration file paths

🔍 How to Verify

Check if Vulnerable:

Attempt to access http://[target]/classes/conf/db.properties&config=filemanager.config.js; if configuration data is returned, system is vulnerable.

Check Version:

Check Jfinal CMS version in admin panel or read version.txt in installation directory

Verify Fix Applied:

After patching, attempt the same access; should receive 403/404 error or no sensitive data.

📡 Detection & Monitoring

Log Indicators:

  • HTTP 200 responses to /classes/conf/db.properties
  • Unusual file access patterns to configuration directories

Network Indicators:

  • HTTP GET requests containing 'db.properties' and 'config=filemanager.config.js' parameters

SIEM Query:

source="web_logs" AND (uri_path="/classes/conf/db.properties" OR query_string CONTAINS "config=filemanager.config.js")

📊 Metadata

CVE ID: CVE-2021-40639
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-668
Published: September 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40639, you might also want to check these:

CVE-2025-15114 9.8

This critical vulnerability in Ksenia Security Lares 4.0 Home Automation version 1.6 exposes the ala...

Same vulnerability type (CWE-668)
CVE-2021-27236 9.8

This vulnerability in Mutare Voice (EVM) allows unauthenticated attackers to include local files via...

Same vulnerability type (CWE-668)
CVE-2022-24074 9.8

CVE-2022-24074 is a critical vulnerability in Whale Browser's default Whale Bridge extension that al...

Same vulnerability type (CWE-668)