CVE-2021-28163
jetty: Symlink directory exposes webapp directory contents
Severity Score
2.7
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
En Eclipse Jetty versiones 9.4.32 hasta 9.4.38, versiones 10.0.0.beta2 hasta 10.0.1 y versiones 11.0.0.beta2 hasta 11.0.1, si un usuario usa un directorio de aplicaciones web que es un enlace simbólico, el contenido del directorio de aplicaciones web se implementa como una aplicación web estática, sin darse cuenta, sirviendo las aplicaciones web en sí y cualquier otra cosa que pueda estar en ese directorio.
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2021-03-12 CVE Reserved
- 2021-04-01 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-03 CVE Updated
- 2024-08-03 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (28)
| URL | Date | SRC |
|---|---|---|
| https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | >= 9.4.32 < 9.4.39 Search vendor "Eclipse" for product "Jetty" and version " >= 9.4.32 < 9.4.39" | - |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 10.0.0 Search vendor "Eclipse" for product "Jetty" and version "10.0.0" | beta2 |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 10.0.1 Search vendor "Eclipse" for product "Jetty" and version "10.0.1" | - |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 11.0.0 Search vendor "Eclipse" for product "Jetty" and version "11.0.0" | - |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 11.0.0 Search vendor "Eclipse" for product "Jetty" and version "11.0.0" | beta2 |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 11.0.0 Search vendor "Eclipse" for product "Jetty" and version "11.0.0" | beta3 |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 11.0.1 Search vendor "Eclipse" for product "Jetty" and version "11.0.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Ignite Search vendor "Apache" for product "Ignite" | < 2.1.1 Search vendor "Apache" for product "Ignite" and version " < 2.1.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Solr Search vendor "Apache" for product "Solr" | 8.8.1 Search vendor "Apache" for product "Solr" and version "8.8.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Manager Search vendor "Netapp" for product "Cloud Manager" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller" | >= 11.0.0 <= 11.70.1 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0.0 <= 11.70.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Web Services Search vendor "Netapp" for product "E-series Santricity Web Services" | - | web_services_proxy |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Element Plug-in For Vcenter Server Search vendor "Netapp" for product "Element Plug-in For Vcenter Server" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Santricity Cloud Connector Search vendor "Netapp" for product "Santricity Cloud Connector" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Search vendor "Netapp" for product "Snapcenter" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Plug-in Search vendor "Netapp" for product "Snapcenter Plug-in" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Storage Replication Adapter For Clustered Data Ontap Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" | >= 9.6 Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" and version " >= 9.6" | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Vasa Provider For Clustered Data Ontap Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" | >= 9.6 Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version " >= 9.6" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Virtual Storage Console Search vendor "Netapp" for product "Virtual Storage Console" | >= 9.6 Search vendor "Netapp" for product "Virtual Storage Console" and version " >= 9.6" | vmware_vsphere |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 20.1 Search vendor "Oracle" for product "Banking Apis" and version "20.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 21.1 Search vendor "Oracle" for product "Banking Apis" and version "21.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 21.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Element Manager Search vendor "Oracle" for product "Communications Element Manager" | 8.2.2 Search vendor "Oracle" for product "Communications Element Manager" and version "8.2.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Services Gatekeeper Search vendor "Oracle" for product "Communications Services Gatekeeper" | 7.0 Search vendor "Oracle" for product "Communications Services Gatekeeper" and version "7.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager" | >= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0 <= 8.2.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4.0" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Siebel Core - Automation Search vendor "Oracle" for product "Siebel Core - Automation" | <= 21.9 Search vendor "Oracle" for product "Siebel Core - Automation" and version " <= 21.9" | - |
Affected
| ||||||