CVE-2021-28163

CWE-200 — Information Exposure CWE-597 documents6 sources

Severity

2.7LOW

EPSS

0.2%

top 63.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

THE Eclipse Foundation Eclipse Jetty Apache Ignite Eclipse Jetty +14 more

Timeline

PublishedApr 1

Latest updateApr 6

Description

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:NExploitability: 1.2 | Impact: 1.4

Affected Packages18 packages

▶NVDeclipse/jetty9.4.32 — 9.4.39+4

▶Mavenorg.eclipse.jetty:jetty-deploy9.4.32 — 9.4.39+2

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.4.32 — unspecified+5

▶Debianjetty9< 9.4.39-1+3

▶NVDapache/ignite< 2.1.1

Also affects: Fedora 32, 33, 34

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

Directory exposure in jetty↗2021-04-06

▶

OSV

Directory exposure in jetty↗2021-04-06

▶

OSV

CVE-2021-28163: In Eclipse Jetty 9↗2021-04-01

▶

CVEList

CVE-2021-28163: In Eclipse Jetty 9↗2021-04-01

▶

📋Vendor Advisories

Red Hat

jetty: Symlink directory exposes webapp directory contents↗2021-04-01

▶

Debian

CVE-2021-28163: jetty9 - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 1...↗2021

▶