CVE-2021-44230: 
Burp Suite vulnerability analysis and mitigation

PortSwigger Burp Suite Enterprise Edition before version 2021.11 on Windows contained a security vulnerability related to weak file permissions for its embedded H2 database (CVE-2021-44230). The vulnerability was discovered and disclosed in November 2021, affecting Windows-based installations of Burp Suite Enterprise Edition using the embedded H2 database (NVD).

The vulnerability stems from incorrect permission assignments for critical resources (CWE-732), specifically weak file permissions on the embedded H2 database files. The vulnerability received a CVSS v3.1 Base Score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could lead to unauthorized access to sensitive configuration, database, and log files. An attacker who has already compromised a valid Windows account on the server could potentially inherit read access to these sensitive files, potentially exposing confidential information (PortSwigger Release Notes).

The issue was fixed in Burp Suite Enterprise Edition version 2021.11. For existing installations, users can harden their system by disabling inheritance to ensure the Users group has no permissions for both installation and data directories, and ensuring both the Administrators group and NETWORK SERVICE user have Full control access to these directories (PortSwigger Release Notes).

The vulnerability was responsibly disclosed through PortSwigger's bug bounty program by security researcher Vijay Tikudave (PortSwigger Release Notes).