CVE-2021-28163

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 01-04-2021 05:15

Last modified: - 12-05-2022 04:36

Total changes: - 21

Description

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

High

Privileges required

Unchanged

Scope

None

User interaction

2.7

Base score

1.2

1.4

Exploitability score

Impact score

Verification logic

vendor=eclipse AND product=jetty AND version=11.0.0 AND update=beta2

vendor=eclipse AND product=jetty AND version=10.0.0 AND update=beta2

vendor=eclipse AND product=jetty AND version=11.0.0 AND update=-

vendor=eclipse AND product=jetty AND version=11.0.1

vendor=eclipse AND product=jetty AND version=11.0.0 AND update=beta3

vendor=eclipse AND product=jetty AND version=10.0.1

vendor=eclipse AND product=jetty AND versionStartIncluding=9.4.32 AND versionEndExcluding=9.4.39

vendor=fedoraproject AND product=fedora AND version=32

vendor=fedoraproject AND product=fedora AND version=33

vendor=fedoraproject AND product=fedora AND version=34

vendor=apache AND product=solr AND version=8.8.1

vendor=apache AND product=ignite AND versionEndExcluding=2.1.1

vendor=netapp AND product=santricity_cloud_connector AND version=-

vendor=netapp AND product=snapcenter AND version=-

vendor=netapp AND product=e-series_performance_analyzer AND version=-

vendor=netapp AND product=e-series_santricity_web_services AND version=- AND target_software=web_services_proxy

vendor=netapp AND product=virtual_storage_console AND target_software=vmware_vsphere AND versionStartIncluding=9.6

vendor=netapp AND product=storage_replication_adapter_for_clustered_data_ontap AND target_software=vmware_vsphere AND versionStartIncluding=9.6

vendor=netapp AND product=vasa_provider_for_clustered_data_ontap AND versionStartIncluding=9.6

vendor=netapp AND product=cloud_manager AND version=-

vendor=netapp AND product=snapcenter_plug-in AND version=- AND target_software=vmware_vsphere

vendor=netapp AND product=element_plug-in_for_vcenter_server AND version=-

vendor=netapp AND product=e-series_santricity_os_controller AND versionEndIncluding=11.70.1 AND versionStartIncluding=11.0.0

vendor=oracle AND product=banking_digital_experience AND version=20.1

vendor=oracle AND product=communications_services_gatekeeper AND version=7.0

vendor=oracle AND product=autovue_for_agile_product_lifecycle_management AND version=21.0.2

vendor=oracle AND product=siebel_core_-_automation AND versionEndIncluding=21.9

vendor=oracle AND product=communications_session_report_manager AND versionEndIncluding=8.2.4.0 AND versionStartIncluding=8.0.0

vendor=oracle AND product=communications_session_route_manager AND versionEndIncluding=8.2.4.0 AND versionStartIncluding=8.0.0

vendor=oracle AND product=communications_element_manager AND version=8.2.2

vendor=oracle AND product=banking_digital_experience AND version=21.1

vendor=oracle AND product=banking_apis AND version=20.1

vendor=oracle AND product=banking_apis AND version=21.1

Reference

https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39-Mailing List, Third Party Advisory
[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty-Mailing List, Third Party Advisory
[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty-Mailing List, Third Party Advisory
[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr-Mailing List, Patch, Third Party Advisory
[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr-Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty-Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty-Mailing List, Third Party Advisory
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty-Mailing List, Third Party Advisory
FEDORA-2021-444e38face-Mailing List, Third Party Advisory
FEDORA-2021-35f06984d7-Mailing List, Third Party Advisory
FEDORA-2021-fd66b2bd53-Mailing List, Third Party Advisory
[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr-Mailing List, Patch, Third Party Advisory
https://security.netapp.com/advisory/ntap-20210611-0006/
[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr-Mailing List, Third Party Advisory
[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813-Mailing List, Third Party Advisory
[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813-Mailing List, Third Party Advisory
[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr-Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
https://www.oracle.com/security-alerts/cpuoct2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2021-28163

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2021-28163

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures