PT-2021-7304 · Eclipse+2 · Eclipse Jetty+2

Published

2021-04-01

·

Updated

2024-03-06

·

CVE-2021-28163

CVSS v2.0

5.0

Medium

VectorAV:N/AC:L/Au:N/C:P/I:N/A:N
Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.32 through 9.4.38 Eclipse Jetty versions 10.0.0.beta2 through 10.0.1 Eclipse Jetty versions 11.0.0.beta2 through 11.0.1
Description The issue is related to the webapps directory in Eclipse Jetty being a symlink, which can cause the contents of the webapps directory to be deployed as a static webapp. This can inadvertently serve the webapps themselves and anything else that might be in that directory, potentially allowing a remote attacker to gain unauthorized access to protected information.
Recommendations For Eclipse Jetty versions 9.4.32 through 9.4.38, do not use a symlink for the webapps directory. For Eclipse Jetty versions 10.0.0.beta2 through 10.0.1, do not use a symlink for the webapps directory. For Eclipse Jetty versions 11.0.0.beta2 through 11.0.1, do not use a symlink for the webapps directory.

Exploit

Fix

Information Disclosure

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-59

Related Identifiers

ALT-PU-2021-2000
BDU:2022-05511
BIT-SOLR-2021-28163
CVE-2021-28163
GHSA-J6QJ-J888-VVGQ
OPENSUSE-SU-2021:2005-1
OPENSUSE-SU-2021_2005-1
OPENSUSE-SU-2024:10878-1
RHSA-2021:1509
RHSA-2021:1551
SUSE-SU-2021:2005-1
SUSE-SU-2021_2005-1

Affected Products

Alt Linux
Eclipse Jetty
Suse