Vulnerability Description
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | >= 9.4.32, < 9.4.39 |
| Fedoraproject | Fedora | 32 |
| Apache | Ignite | < 2.1.1 |
| Apache | Solr | 8.8.1 |
| Netapp | Cloud Manager | - |
| Netapp | E-Series Performance Analyzer | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0.0, <= 11.70.1 |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Element Plug-In For Vcenter Server | - |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Snapcenter | - |
| Netapp | Snapcenter Plug-In | - |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | >= 9.6 |
| Netapp | Vasa Provider For Clustered Data Ontap | >= 9.6 |
| Netapp | Virtual Storage Console | >= 9.6 |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Communications Element Manager | 8.2.2 |
| Oracle | Communications Services Gatekeeper | 7.0 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgqExploitThird Party Advisory
- https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9
- https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc0
- https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6
- https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd7
- https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5
- https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9d
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7
- https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918
- https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92
- https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9
- https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b
- https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f
FAQ
What is CVE-2021-28163?
CVE-2021-28163 is a vulnerability with a CVSS score of 2.7 (LOW). In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a stat...
How severe is CVE-2021-28163?
CVE-2021-28163 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28163?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Fedoraproject Fedora, Apache Ignite, Apache Solr, Netapp Cloud Manager.