CVE-2020-27216

CWE-378CWE-379CWE-377CWE-552Files Accessible to External Parties12 documents8 sources
Severity
7.0HIGH
EPSS
0.1%
top 74.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
17
Eclipse JettyOracle JD Edwards Enterpriseone ToolsOracle Communications Element Manager+14 more
Timeline
PublishedOct 23
Latest updateOct 15

Description

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory us

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages19 packages

NVDeclipse/jetty1.09.3.29+3
Mavenorg.eclipse.jetty:jetty-webapp10.0.0.beta110.0.0.beta3+2
CVEListV5the_eclipse_foundation/eclipse_jetty1.0 to 9.4.32.v20200930, 10.0.0.alpha1 to 10.0.0.beta2, 11.0.0.alpha1 to 11.0.0.beta2+2
Mavenorg.mortbay.jetty:jetty-webapp10.0.0.beta110.0.0.beta3+2
Debianjetty9< 9.4.33-1+3

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: bugs.eclipse.orgPatch: www.oracle.comPatch: www.oracle.com

🔴Vulnerability Details

4
OSV
Local Temp Directory Hijacking Vulnerability2020-11-04
GHSA
Local Temp Directory Hijacking Vulnerability2020-11-04
OSV
CVE-2020-27216: In Eclipse Jetty versions 12020-10-23
CVEList
CVE-2020-27216: In Eclipse Jetty versions 12020-10-23

📋Vendor Advisories

5
Oracle
Oracle Oracle JD Edwards Risk Matrix: Installation (Eclipse Jetty) — CVE-2020-272162021-10-15
Oracle
Oracle Oracle Communications Applications Risk Matrix: CN OCOMC (Eclipse Jetty) — CVE-2020-272162021-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Core (Eclipse Jetty) — CVE-2020-272162021-01-15
Red Hat
jetty: local temporary directory hijacking vulnerability2020-10-22
Debian
CVE-2020-27216: jetty9 - In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b...2020

💬Community

2
Bugzilla
CVE-2020-27216 jetty: local temporary directory hijacking vulnerability [fedora-all]2020-10-23
Bugzilla
CVE-2020-27216 jetty: local temporary directory hijacking vulnerability2020-10-23
CVE-2020-27216 (HIGH CVSS 7) | In Eclipse Jetty versions 1.0 thru | cvebase.io