ghsa-j6qj-j888-vvgq
Vulnerability from github
Published
2021-04-06 17:32
Modified
2022-04-22 15:49
Severity ?
Summary
Directory exposure in jetty
Details
Impact
If the ${jetty.base}
directory or the ${jetty.base}/webapps
directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps
directory may be deployed as a static web application, exposing the content of the directory for download.
For example, the problem manifests in the following ${jetty.base}
:
```$ tree demo-base/
demo-base/
├── etc
├── lib
├── resources
├── start.d
├── deploy
│ └── async-rest.war
└── webapps -> deploy
```
Workarounds
Do not use a symlink
{ "affected": [ { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-deploy" }, "ranges": [ { "events": [ { "introduced": "9.4.32" }, { "fixed": "9.4.39" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-deploy" }, "ranges": [ { "events": [ { "introduced": "10.0.0" }, { "fixed": "10.0.2" } ], "type": "ECOSYSTEM" } ] }, { "package": { "ecosystem": "Maven", "name": "org.eclipse.jetty:jetty-deploy" }, "ranges": [ { "events": [ { "introduced": "11.0.0" }, { "fixed": "11.0.2" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2021-28163" ], "database_specific": { "cwe_ids": [ "CWE-200", "CWE-59" ], "github_reviewed": true, "github_reviewed_at": "2021-04-02T23:13:08Z", "nvd_published_at": "2021-04-01T15:15:00Z", "severity": "LOW" }, "details": "### Impact\nIf the `${jetty.base}` directory or the `${jetty.base}/webapps` directory is a symlink (soft link in Linux), the contents of the `${jetty.base}/webapps` directory may be deployed as a static web application, exposing the content of the directory for download. \n\nFor example, the problem manifests in the following `${jetty.base}`:\n```$ tree demo-base/\ndemo-base/\n\u251c\u2500\u2500 etc\n\u251c\u2500\u2500 lib\n\u251c\u2500\u2500 resources\n\u251c\u2500\u2500 start.d\n\u251c\u2500\u2500 deploy\n\u2502\u00a0\u00a0 \u2514\u2500\u2500 async-rest.war\n\u2514\u2500\u2500 webapps -\u003e deploy\n\n``` \n\n### Workarounds\nDo not use a symlink", "id": "GHSA-j6qj-j888-vvgq", "modified": "2022-04-22T15:49:55Z", "published": "2021-04-06T17:32:00Z", "references": [ { "type": "WEB", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "type": "WEB", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "type": "WEB", "url": "https://security.netapp.com/advisory/ntap-20210611-0006" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS" }, { "type": "WEB", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "type": "WEB", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "type": "PACKAGE", "url": "https://github.com/eclipse/jetty.project" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "type": "CVSS_V3" } ], "summary": "Directory exposure in jetty" }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.