CVE-2021-21380: 
Java vulnerability analysis and mitigation

CVE-2021-21380 is a SQL injection vulnerability discovered in XWiki's Rating Script Service. The vulnerability was reported on August 18, 2020, and was patched in XWiki version 12.9RC1. The vulnerability affects XWiki installations with the Ratings API installed, versions 6.4-milestone-3 through 12.9RC1 (XWiki Advisory).

The vulnerability exists in the Rating Script Service's API method getAverageRating(String fromsql, String wheresql), which accepts two parameters that are directly used in AbstractRatingManager to construct SQL queries without proper escaping. This implementation allows for SQL injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 7.7, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N, indicating network accessibility, low attack complexity, and high impact on integrity (XWiki Advisory).

The vulnerability allows attackers with Script rights to perform SQL injection attacks against the XWiki platform. Successful exploitation could lead to unauthorized data manipulation and potential system compromise. The vulnerability specifically impacts data integrity without affecting confidentiality or availability (XWiki Advisory).

The vulnerability has been patched in XWiki version 12.9RC1. For users unable to upgrade immediately, the only workaround is to uninstall the Ratings API from the Extension Manager. Users are strongly recommended to upgrade to the patched version to ensure system security (XWiki Advisory).