Action not permitted
Modal body text goes here.
Modal Title
Modal Body
rhsa-2021_3225
Vulnerability from csaf_redhat
Published
2021-08-19 07:17
Modified
2024-11-25 12:33
Summary
Red Hat Security Advisory: Red Hat AMQ Streams 1.8.0 release and security update
Notes
Topic
Red Hat AMQ Streams 1.8.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
This release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.
Security Fix(es):
* snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)
* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
* netty: Request smuggling via content-length header (CVE-2021-21409)
* json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)
* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
* jersey: Local information disclosure via system temporary directory (CVE-2021-28168)
* jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)
* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
* jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Red Hat AMQ Streams 1.8.0 is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency. \n\nThis release of Red Hat AMQ Streams 1.8.0 serves as a replacement for Red Hat AMQ Streams 1.7.0, and includes security and bug fixes, and enhancements.\n\nSecurity Fix(es):\n\n* snakeyaml: Billion laughs attack via alias feature (CVE-2017-18640)\n\n* netty: Information disclosure via the local system temporary directory (CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* json-smart: uncaught exception may lead to crash or information disclosure (CVE-2021-27568)\n\n* jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)\n\n* jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)\n\n* jersey: Local information disclosure via system temporary directory (CVE-2021-28168)\n\n* jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)\n\n* apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)\n\n* jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2021:3225", "url": "https://access.redhat.com/errata/RHSA-2021:3225" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.8.0", "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.streams\u0026version=1.8.0" }, { "category": "external", "summary": "1785376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785376" }, { "category": "external", "summary": "1927028", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028" }, { "category": "external", "summary": "1937364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364" }, { "category": "external", "summary": "1939839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939839" }, { "category": "external", "summary": "1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "1945710", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710" }, { "category": "external", "summary": "1945712", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712" }, { "category": "external", "summary": "1945714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714" }, { "category": "external", "summary": "1948752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752" }, { "category": "external", "summary": "1953024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953024" }, { "category": "external", "summary": "1971016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016" }, { "category": "external", "summary": "1974891", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_3225.json" } ], "title": "Red Hat Security Advisory: Red Hat AMQ Streams 1.8.0 release and security update", "tracking": { "current_release_date": "2024-11-25T12:33:35+00:00", "generator": { "date": "2024-11-25T12:33:35+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2021:3225", "initial_release_date": "2021-08-19T07:17:54+00:00", "revision_history": [ { "date": "2021-08-19T07:17:54+00:00", "number": "1", "summary": "Initial version" }, { "date": "2021-08-19T07:17:54+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-25T12:33:35+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat AMQ Streams 1.8.0", "product": { "name": "Red Hat AMQ Streams 1.8.0", "product_id": "Red Hat AMQ Streams 1.8.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:amq_streams:1" } } } ], "category": "product_family", "name": "Red Hat JBoss AMQ" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2017-18640", "cwe": { "id": "CWE-122", "name": "Heap-based Buffer Overflow" }, "discovery_date": "2019-12-19T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1785376" } ], "notes": [ { "category": "description", "text": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.", "title": "Vulnerability description" }, { "category": "summary", "text": "snakeyaml: Billion laughs attack via alias feature", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2017-18640" }, { "category": "external", "summary": "RHBZ#1785376", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1785376" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2017-18640", "url": "https://www.cve.org/CVERecord?id=CVE-2017-18640" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640", "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-18640" } ], "release_date": "2019-12-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "snakeyaml: Billion laughs attack via alias feature" }, { "cve": "CVE-2021-21290", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-02-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1927028" } ], "notes": [ { "category": "description", "text": "In Netty there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used, a local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: Information disclosure via the local system temporary directory", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21290" }, { "category": "external", "summary": "RHBZ#1927028", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1927028" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21290", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21290" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21290" } ], "release_date": "2021-02-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "netty: Information disclosure via the local system temporary directory" }, { "cve": "CVE-2021-21295", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-03-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1937364" } ], "notes": [ { "category": "description", "text": "In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: possible request smuggling in HTTP/2 due missing validation", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21295" }, { "category": "external", "summary": "RHBZ#1937364", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1937364" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21295", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21295" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21295" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" } ], "release_date": "2021-03-09T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty: possible request smuggling in HTTP/2 due missing validation" }, { "cve": "CVE-2021-21409", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request/Response Smuggling\u0027)" }, "discovery_date": "2021-03-30T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1944888" } ], "notes": [ { "category": "description", "text": "A flaw was found in Netty. There is an issue where the content-length header is not validated correctly if the request uses a single Http2HeaderFrame with the endstream set to true. This flaw leads to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. The highest threat from this vulnerability is to integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "netty: Request smuggling via content-length header", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat Satellite ships a vulnerable Netty version embedded in Candlepin. However, it is not directly vulnerable since the HTTP requests are handled by Tomcat and not by Netty.\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of netty-codec-http package.\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-21409" }, { "category": "external", "summary": "RHBZ#1944888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1944888" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-21409", "url": "https://www.cve.org/CVERecord?id=CVE-2021-21409" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21409" }, { "category": "external", "summary": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" } ], "release_date": "2021-03-30T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "netty: Request smuggling via content-length header" }, { "cve": "CVE-2021-27568", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-03-02T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1939839" } ], "notes": [ { "category": "description", "text": "A flaw was found in json-smart. When an exception is thrown from a function, but is not caught, the program using the library may crash or expose sensitive information. The highest threat from this vulnerability is to data confidentiality and system availability.\r\n\r\nIn OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of json-smart package.\r\nSince the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix.\r\nThis may be fixed in the future.\r\n\r\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Vulnerability description" }, { "category": "summary", "text": "json-smart: uncaught exception may lead to crash or information disclosure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-27568" }, { "category": "external", "summary": "RHBZ#1939839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1939839" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-27568", "url": "https://www.cve.org/CVERecord?id=CVE-2021-27568" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-27568", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27568" } ], "release_date": "2021-02-23T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "json-smart: uncaught exception may lead to crash or information disclosure" }, { "cve": "CVE-2021-28163", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-04-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1945710" } ], "notes": [ { "category": "description", "text": "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: Symlink directory exposes webapp directory contents", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-28163" }, { "category": "external", "summary": "RHBZ#1945710", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945710" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28163", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28163" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28163" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" } ], "release_date": "2021-04-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: Symlink directory exposes webapp directory contents" }, { "cve": "CVE-2021-28164", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-04-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1945712" } ], "notes": [ { "category": "description", "text": "In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: Ambiguous paths can access WEB-INF", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-28164" }, { "category": "external", "summary": "RHBZ#1945712", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945712" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28164", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28164" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" } ], "release_date": "2021-04-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: Ambiguous paths can access WEB-INF" }, { "cve": "CVE-2021-28165", "cwe": { "id": "CWE-400", "name": "Uncontrolled Resource Consumption" }, "discovery_date": "2021-04-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1945714" } ], "notes": [ { "category": "description", "text": "When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing high CPU resources utilization. The highest threat from this vulnerability is to service availability.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: Resource exhaustion when receiving an invalid large TLS frame", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-28165" }, { "category": "external", "summary": "RHBZ#1945714", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1945714" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28165", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28165" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28165" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" } ], "release_date": "2021-04-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: Resource exhaustion when receiving an invalid large TLS frame" }, { "cve": "CVE-2021-28168", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-04-22T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1953024" } ], "notes": [ { "category": "description", "text": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.", "title": "Vulnerability description" }, { "category": "summary", "text": "jersey: Local information disclosure via system temporary directory", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-28168" }, { "category": "external", "summary": "RHBZ#1953024", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1953024" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28168", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28168" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28168" } ], "release_date": "2021-04-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jersey: Local information disclosure via system temporary directory" }, { "cve": "CVE-2021-28169", "cwe": { "id": "CWE-200", "name": "Exposure of Sensitive Information to an Unauthorized Actor" }, "discovery_date": "2021-06-09T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1971016" } ], "notes": [ { "category": "description", "text": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\n\nRed Hat OpenStack Platform\u0027s OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\n\nRed Hat CodeReady Studio 12 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 8 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty.\n\nRed Hat Enterprise Linux 7 ships the vulnerable component of jetty, but only in the optional repository and thus this flaw is out of support scope for Red Hat Enterprise Linux 7.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-28169" }, { "category": "external", "summary": "RHBZ#1971016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1971016" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-28169", "url": "https://www.cve.org/CVERecord?id=CVE-2021-28169" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-28169" } ], "release_date": "2021-06-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory" }, { "cve": "CVE-2021-29425", "cwe": { "id": "CWE-22", "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)" }, "discovery_date": "2021-04-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1948752" } ], "notes": [ { "category": "description", "text": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.", "title": "Vulnerability description" }, { "category": "summary", "text": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6", "title": "Vulnerability summary" }, { "category": "other", "text": "While the apache-commons-io package included in Red Hat Enterprise Linux 8 Maven App Stream contains the vulnerable code, it is not used in any way by Maven or other packages in this module. This package is not an API component of Maven, thus the affected code can not be reached in any supported scenario.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-29425" }, { "category": "external", "summary": "RHBZ#1948752", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1948752" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-29425", "url": "https://www.cve.org/CVERecord?id=CVE-2021-29425" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29425" } ], "release_date": "2021-04-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6" }, { "cve": "CVE-2021-34428", "cwe": { "id": "CWE-613", "name": "Insufficient Session Expiration" }, "discovery_date": "2021-06-22T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1974891" } ], "notes": [ { "category": "description", "text": "A flaw was discovered in the jetty-server, where if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts, this could result in a session not being invalidated and a shared-computer application being left logged in. The highest threat from this vulnerability is to data confidentiality and integrity.", "title": "Vulnerability description" }, { "category": "summary", "text": "jetty: SessionListener can prevent a session from being invalidated breaking logout", "title": "Vulnerability summary" }, { "category": "other", "text": "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future.\n\nOCP 3.11 is out of the support scope for Moderate and Low impact vulnerabilities because is already in the Maintenance Support phase, hence the affected OCP 3.11 component has been marked as wontifx.\n\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat AMQ Streams 1.8.0" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2021-34428" }, { "category": "external", "summary": "RHBZ#1974891", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1974891" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2021-34428", "url": "https://www.cve.org/CVERecord?id=CVE-2021-34428" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-34428" }, { "category": "external", "summary": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" } ], "release_date": "2021-06-22T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2021-08-19T07:17:54+00:00", "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2021:3225" }, { "category": "workaround", "details": "Applications should catch all Throwables within their SessionListener#sessionDestroyed() implementations.", "product_ids": [ "Red Hat AMQ Streams 1.8.0" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Red Hat AMQ Streams 1.8.0" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "jetty: SessionListener can prevent a session from being invalidated breaking logout" } ] }
cve-2021-28164
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.37.v20210219 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.093Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "9.4.37.v20210219", "versionType": "custom" }, { "lessThanOrEqual": "9.4.38.v20210224", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-551", "description": "CWE-551", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:18", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28164", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "9.4.37.v20210219" }, { "version_affected": "\u003c=", "version_value": "9.4.38.v20210224" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application." } ] }, "impact": { "cvss": { "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200" } ] }, { "description": [ { "lang": "eng", "value": "CWE-551" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "name": "https://security.netapp.com/advisory/ntap-20210611-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28164", "datePublished": "2021-04-01T14:20:14", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.093Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28168
Vulnerability from cvelistv5
Published
2021-04-22 17:35
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jersey |
Version: 2.28 < unspecified Version: unspecified < Version: 3.0.0 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.260Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712" }, { "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jersey", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "2.28", "versionType": "custom" }, { "lessThanOrEqual": "2.33", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom" }, { "lessThanOrEqual": "3.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-378", "description": "CWE-378: Creation of Temporary File With Insecure Permissions", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-379", "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:30", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse-ee4j/jersey/pull/4712" }, { "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28168", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jersey", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "2.28" }, { "version_affected": "\u003c=", "version_value": "2.33" }, { "version_affected": "\u003e=", "version_value": "3.0.0" }, { "version_affected": "\u003c=", "version_value": "3.0.1" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Eclipse Jersey 2.28 to 2.33 and Eclipse Jersey 3.0.0 to 3.0.1 contains a local information disclosure vulnerability. This is due to the use of the File.createTempFile which creates a file inside of the system temporary directory with the permissions: -rw-r--r--. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users." } ] }, "impact": { "cvss": { "baseScore": 6.2, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-378: Creation of Temporary File With Insecure Permissions" } ] }, { "description": [ { "lang": "eng", "value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv", "refsource": "CONFIRM", "url": "https://github.com/eclipse-ee4j/jersey/security/advisories/GHSA-c43q-5hpj-4crv" }, { "name": "https://github.com/eclipse-ee4j/jersey/pull/4712", "refsource": "CONFIRM", "url": "https://github.com/eclipse-ee4j/jersey/pull/4712" }, { "name": "[kafka-jira] 20210429 [GitHub] [kafka] xjin-Confluent opened a new pull request #10614: MINOR: Upgrade jersey to 2.34", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd54b42edccc1b993853a9c4943a9b16db763f5e2febf6e64b7d0fe3c@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc6221670de35b819fe191e7d8f2d17bc000549bd554020cec644b71e@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210505 [jira] [Created] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra3d7cd37fc794981a885332af2f8df0d873753380ea19935d6d847fc@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210505 [GitHub] [kafka] shayelkin opened a new pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc288874c330b3af9e29a1a114c5e0d24fff7a79eaa341f551535c8c0@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Assigned] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4066176a7352e021d7a81af460044bde8d57f40e98f8e4a31923af3a@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Commented] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r42fef440487a04cf5e487a9707ef5119d2dd5b809919f25ef4296fc4@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rafc3c4cee534f478cbf8acf91e48373e291a21151f030e8132662a7b@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r454f38e85db149869c5a92c993c402260a4f8599bf283f6cfaada972@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] omkreddy merged pull request #10636: MINOR: Bump Jersey deps to 2.34 due to CVE-2021-28168", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r96658b899fcdbf04947257d201dc5a0abdbb5fb0a8f4ec0a6c15e70f@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.7 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6dadc8fe82071aba841d673ffadf34728bff4357796b1990a66e3af1@%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210506 [kafka] branch 2.8 updated: KAFKA-12752: Bump Jersey deps to 2.34 due to CVE-2021-28168 (#10636)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r280438f7cb4b3b1c9dfda9d7b05fa2a5cfab68618c6afee8169ecdaa@%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdff6939e6c8dd620e20b013d9a35f57d42b3cd19e1d0483d85dfa2fd@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210506 [jira] [Resolved] (KAFKA-12752) CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r305fb82e5c005143c1e2ec986a19c0a44f42189ab2580344dc955359@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr closed pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra2722171d569370a9e15147d9f3f6138ad9a188ee879c0156aa2d73a@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210507 [GitHub] [kafka] dongjinleekr commented on pull request #10641: KAFKA-12752: CVE-2021-28168 upgrade jersey to 2.34 or 3.02", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra3290fe51b4546fac195724c4187c4cb7fc5809bc596c2f7e97606f4@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28168", "datePublished": "2021-04-22T17:35:14", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.260Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2017-18640
Vulnerability from cvelistv5
Published
2019-12-12 00:00
Modified
2024-08-05 21:28
Severity ?
EPSS score ?
Summary
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-05T21:28:55.802Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "FEDORA-2020-599514b47e", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/" }, { "name": "FEDORA-2020-23012fafbc", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/" }, { "name": "[pulsar-commits] 20200830 [GitHub] [pulsar] codelipenghui commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-dev] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200830 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy edited a comment on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200831 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E" }, { "name": "[cassandra-pr] 20200907 [GitHub] [cassandra] crazylab opened a new pull request #736: Upgrade to a snakeyaml version without CVE", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #110: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab closed pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E" }, { "name": "[pulsar-commits] 20200907 [GitHub] [pulsar] jiazhai closed issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200909 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [GitHub] [atlas] nixonrodrigues commented on pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [jira] [Created] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [jira] [Updated] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-commits] 20200915 [atlas] branch master updated: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200915 [GitHub] [atlas] nixonrodrigues merged pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200915 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-commits] 20200916 [atlas] 02/02: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200916 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Created] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201001 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201002 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201002 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201007 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201007 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [cassandra] branch trunk updated: Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201026 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201027 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201028 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201028 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20201028 [hadoop] branch trunk updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20201028 [hadoop] branch branch-3.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[phoenix-dev] 20210419 [jira] [Created] (OMID-207) Upgrade to snakeyaml 1.26 due to CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E" }, { "name": "[phoenix-dev] 20210419 [GitHub] [phoenix-omid] richardantal opened a new pull request #93: OMID-207 Upgrade to snakeyaml 1.26 due to CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E" }, { "tags": [ "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_transferred" ], "url": "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion" }, { "tags": [ "x_transferred" ], "url": "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages" }, { "tags": [ "x_transferred" ], "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack" }, { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_transferred" ], "url": "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211008 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211008 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "tags": [ "x_transferred" ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes" }, { "tags": [ "x_transferred" ], "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/377" }, { "name": "GLSA-202305-28", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202305-28" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2023-05-21T00:00:00", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "name": "FEDORA-2020-599514b47e", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CKN7VGIKTYBCAKYBRG55QHXAY5UDZ7HA/" }, { "name": "FEDORA-2020-23012fafbc", "tags": [ "vendor-advisory" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PTVJC54XGX26UJVVYCXZ7D25X3R5T2G6/" }, { "name": "[pulsar-commits] 20200830 [GitHub] [pulsar] codelipenghui commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r8b57c57cffa01e418868a3c7535b987635ff1fb5ab534203bfa2d64a%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-dev] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rb34d8d3269ad47a1400f5a1a2d8310e13a80b6576ebd7f512144198d%40%3Ccommon-dev.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200830 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r8464b6ec951aace8c807bac9ea526d4f9e3116aa16d38be06f7c6524%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200830 [jira] [Created] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r643ba53f002ae59068f9352fe1d82e1b6f375387ffb776f13efe8fda%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy edited a comment on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r2b05744c0c2867daa5d1a96832965b7d6220328b0ead06c22a6e7854%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20200831 [GitHub] [pulsar] wolfstudy commented on issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r6c91e52b3cc9f4e64afe0f34f20507143fd1f756d12681a56a9b38da%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200831 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r72a3588d62b2de1361dc9648f5d355385735e47f7ba49d089b0e680d%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r1dfac8b6a7097bcb4979402bbb6e2f8c36d0d9001e3018717eb22b7e%40%3Cdev.atlas.apache.org%3E" }, { "name": "[cassandra-pr] 20200907 [GitHub] [cassandra] crazylab opened a new pull request #736: Upgrade to a snakeyaml version without CVE", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rb0e033d5ec8233360203431ad96580cf2ec56f47d9a425d894e279c2%40%3Cpr.cassandra.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab opened a new pull request #110: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r2a5b84fdf59042dc398497e914b5bb1aed77328320b1438144ae1953%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200907 [GitHub] [atlas] crazylab closed pull request #109: Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r6d54c2da792c74cc14b9b7665ea89e144c9e238ed478d37fd56292e6%40%3Cdev.atlas.apache.org%3E" }, { "name": "[pulsar-commits] 20200907 [GitHub] [pulsar] jiazhai closed issue #7928: CVE-2017-18640 exposure snakeyaml below 1.26", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r666f29a7d0e1f98fa1425ca01efcfa86e6e3856e01d300828aa7c6ea%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[hadoop-common-issues] 20200909 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r154090b871cf96d985b90864442d84eb027c72c94bc3f0a5727ba2d1%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [GitHub] [atlas] nixonrodrigues commented on pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r28c9009a48d52cf448f8b02cd823da0f8601d2dff4d66f387a35f1e0%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [jira] [Created] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rb7b28ac741e32dd5edb2c22485d635275bead7290b056ee56baf8ce0%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200914 [jira] [Updated] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/re791a854001ec1f79cd4f47328b270e7a1d9d7056debb8f16d962722%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-commits] 20200915 [atlas] branch master updated: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rce5c93bba6e815fb62ad38e28ca1943b3019af1eddeb06507ad4e11a%40%3Ccommits.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200915 [GitHub] [atlas] nixonrodrigues merged pull request #110: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r5510f0125ba409fc1cabd098ab8b457741e5fa314cbd0e61e4339422%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200915 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r2db207a2431a5e9e95e899858ab1f5eabd9bcc790a6ca7193ae07e94%40%3Cdev.atlas.apache.org%3E" }, { "name": "[atlas-commits] 20200916 [atlas] 02/02: ATLAS-3940 : Upgrade snakeyaml to a version without CVE-2017-18640 (#110)", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r1058e7646988394de6a3fd0857ea9b1ee0de14d7bb28fee5ff782457%40%3Ccommits.atlas.apache.org%3E" }, { "name": "[atlas-dev] 20200916 [jira] [Commented] (ATLAS-3940) Upgrade snakeyaml to a version without CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/re851bbfbedd47c690b6e01942acb98ee08bd00df1a94910b905bc8cd%40%3Cdev.atlas.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Created] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r56805265475919252ba7fc10123f15b91097f3009bae86476624ca25%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rbaa1f513d903c89a08267c91d86811fa5bcc82e0596b6142c5cea7ea%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/reb1751562ee5146d3aca654a2df76a2c13d8036645ce69946f9c219e%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20200930 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r1ffce2ed3017e9964f03ad2c539d69e49144fc8e9bf772d641612f98%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201001 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rc3211c71f7e0973a1825d1988a3921288c06cd9d793eae97ecd34948%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201002 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r55d807f31e64a080c54455897c20b1667ec792e5915132c7b7750533%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201002 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/recfe569f4f260328b0036f1c82b2956e864d519ab941a5e75d0d832d%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201007 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rf95bebee6dfcc55067cebe8482bd31e6f481d9f74ba8e03f860c3ec7%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201007 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r1703a402f30c8a2ee409f8c6f393e95a63f8c952cc9ee5bf9dd586dc%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Comment Edited] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r191ceadb1b883357384981848dfa5235cb02a90070c553afbaf9b3d9%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Commented] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r20350031c60a77b45e0eded33e9b3e9cb0cbfc5e24e1c63bf264df12%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [jira] [Updated] (CASSANDRA-16150) Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rd582c64f66c354240290072f340505f5d026ca944ec417226bb0272e%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[cassandra-commits] 20201009 [cassandra] branch trunk updated: Upgrade to snakeyaml \u003e= 1.26 version for CVE-2017-18640 fix", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rb5c33d0069c927fae16084f0605895b98d231d7c48527bcb822ac48c%40%3Ccommits.cassandra.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201026 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rcb4b61dbe2ed1c7a88781a9aff5a9e7342cc7ed026aec0418ee67596%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201027 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/raebd2019b3da8c2f90f31e8b203b45353f78770ca93bfe5376f5532e%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201028 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r4d7f37da1bc2df90a5a0f56eb7629b5ea131bfe11eeeb4b4c193f64a%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20201028 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r22ac2aa053b7d9c6b75a49db78125c9316499668d0f4a044f3402e2f%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20201028 [hadoop] branch trunk updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r1aab47b48a757c70e40fc0bcb1fcf1a3951afa6a17aee7cd66cf79f8%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20201028 [hadoop] branch branch-3.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rcb2a7037366c58bac6aec6ce3df843a11ef97ae4eb049f05f410eaa5%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[phoenix-dev] 20210419 [jira] [Created] (OMID-207) Upgrade to snakeyaml 1.26 due to CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r436988d2cfe8a770ae361c82b181c5b2bf48a249bad84d8a55a3b46e%40%3Cdev.phoenix.apache.org%3E" }, { "name": "[phoenix-dev] 20210419 [GitHub] [phoenix-omid] richardantal opened a new pull request #93: OMID-207 Upgrade to snakeyaml 1.26 due to CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r7ce3de03facf7e7f3e24fc25d26d555818519dafdb20f29398a3414b%40%3Cdev.phoenix.apache.org%3E" }, { "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "url": "https://bitbucket.org/asomov/snakeyaml/issues/377/allow-configuration-for-preventing-billion" }, { "url": "https://mvnrepository.com/artifact/org.yaml/snakeyaml/1.25/usages" }, { "url": "https://bitbucket.org/asomov/snakeyaml/wiki/Billion%20laughs%20attack" }, { "url": "https://lists.apache.org/thread.html/r4c682fb8cf69dd14162439656a6ebdf42ea6ad0e4edba95907ea3f14%40%3Ccommits.servicecomb.apache.org%3E" }, { "url": "https://lists.apache.org/thread.html/r900e020760c89f082df1c6e0d46320eba721e4e47bb9eb521e68cd95%40%3Ccommits.servicecomb.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r16ae4e529401b75a1f5aa462b272b31bf2a108236f882f06fddc14bc%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2.3 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rfe0aab6c3bebbd9cbfdedb65ff3fdf420714bcb8acdfd346077e1263%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211008 [jira] [Updated] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r182e9cf6f3fb22b9be0cac4ff0685199741d2ab6e9a4e27a3693c224%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "name": "[hadoop-common-commits] 20211008 [hadoop] branch branch-3.2 updated: HADOOP-17236. Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640. Contributed by Brahma Reddy Battula.", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/rdd34c0479587e32a656d976649409487d51ca0d296b3e26b6b89c3f5%40%3Ccommon-commits.hadoop.apache.org%3E" }, { "name": "[hadoop-common-issues] 20211008 [jira] [Commented] (HADOOP-17236) Bump up snakeyaml to 1.26 to mitigate CVE-2017-18640", "tags": [ "mailing-list" ], "url": "https://lists.apache.org/thread.html/r465d2553a31265b042cf5457ef649b71e0722ab89b6ea94a5d59529b%40%3Ccommon-issues.hadoop.apache.org%3E" }, { "url": "https://bitbucket.org/snakeyaml/snakeyaml/wiki/Changes" }, { "url": "https://bitbucket.org/snakeyaml/snakeyaml/issues/377" }, { "name": "GLSA-202305-28", "tags": [ "vendor-advisory" ], "url": "https://security.gentoo.org/glsa/202305-28" } ] } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-18640", "datePublished": "2019-12-12T00:00:00", "dateReserved": "2019-12-12T00:00:00", "dateUpdated": "2024-08-05T21:28:55.802Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21409
Vulnerability from cvelistv5
Published
2021-03-30 15:05
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:16.144Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "netty", "vendor": "netty", "versions": [ { "status": "affected", "version": "\u003c 4.1.61.Final" } ] } ], "descriptions": [ { "lang": "en", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:24:02", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "tags": [ "x_refsource_MISC" ], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa%40%3Cjira.kafka.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2%40%3Ccommits.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "source": { "advisory": "GHSA-f256-j965-7f32", "discovery": "UNKNOWN" }, "title": "Possible request smuggling in HTTP/2 due missing validation of content-length", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21409", "STATE": "PUBLIC", "TITLE": "Possible request smuggling in HTTP/2 due missing validation of content-length" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "netty", "version": { "version_data": [ { "version_value": "\u003c 4.1.61.Final" } ] } } ] }, "vendor_name": "netty" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32", "refsource": "CONFIRM", "url": "https://github.com/netty/netty/security/advisories/GHSA-f256-j965-7f32" }, { "name": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "refsource": "MISC", "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "name": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295", "refsource": "MISC", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21295" }, { "name": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432", "refsource": "MISC", "url": "https://github.com/netty/netty/commit/b0fa4d5aab4215f3c22ce6123dd8dd5f38dc0432" }, { "name": "DSA-4885", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r70c3a7bfa904f06a1902f4df20ee26e4f09a46b8fd3eb304dc57a2de@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra66e93703e3f4bd31bdfd0b6fb0c32ae96b528259bb1aa2b6d38e401@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2732aa3884cacfecac4c54cfaa77c279ba815cad44b464a567216f83@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0ca82fec33334e571fe5b388272260778883e307e15415d7b1443de2@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r823d4b27fcba8dad5fe945bdefce3ca5a0031187966eb6ef3cc22ba9@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] ayushmantri opened a new pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r101f82d8f3b5af0bf79aecbd5b2dd3b404f6bb51d1a54c2c3d29bed9@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Updated] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf521ff2be2e2dd38984174d3451e6ee935c845948845c8fccd86371d@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] arshadmohammad commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5cbea8614812289a9b98d0cfc54b47f54cef424ac98d5e315b791795@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch master updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdd206d9dd7eb894cc089b37fe6edde2932de88d63a6d8368b44f5101@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Resolved] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rac8cf45a1bab9ead5c9a860cbadd6faaeb7792203617b6ec3874736d@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a98827bb4a7edbd69ef862f2351391845697c40711820d10df52ca5@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r69efd8ef003f612c43e4154e788ca3b1f837feaacd16d97854402355@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210408 [jira] [Assigned] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b8be87acf5b9c098a2ee350b5ca5716fe7afeaf0a21a4ee45a90687@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210408 [GitHub] [zookeeper] asfgit closed pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re4b0141939370304d676fe23774d0c6fbc584b648919825402d0cb39@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210408 [zookeeper] 01/02: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdd5715f3ee5e3216d5e0083a07994f67da6dbb9731ce9e7a6389b18e@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210409 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1b3cb056364794f919aaf26ceaf7423de64e7fdd05a914066e7d5219@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari opened a new pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf38e4dcdefc7c59f7ba0799a399d6d6e37b555d406a1dfc2fcbf0b35@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210419 [GitHub] [pulsar] lhotari commented on pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r61564d86a75403b854cdafee67fc69c8b88c5f6802c2c838f4282cc8@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] eolivelli merged pull request #10266: [Security] Upgrade Netty to 4.1.63.Final to address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7879ddcb990c835c6b246654770d836f9d031dee982be836744e50ed@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" }, { "name": "[kafka-jira] 20210506 [GitHub] [kafka] dongjinleekr opened a new pull request #10642: KAFKA-12756: Update Zookeeper to 3.6.3 or higher", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbde2f13daf4911504f0eaea43eee4f42555241b5f6d9d71564b6c5fa@%3Cjira.kafka.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Updated] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rafc77f9f03031297394f3d372ccea751b23576f8a2ae9b6b053894c5@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re39391adcb863f0e9f3f15e7986255948f263f02e4700b82453e7102@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210517 [jira] [Created] (ZOOKEEPER-4295) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re9e6ed60941da831675de2f8f733c026757fb4fa28a7b6c9f3dfb575@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210517 [GitHub] [zookeeper] gpiyush-dev opened a new pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re1911e05c08f3ec2bab85744d788773519a0afb27272a31ac2a0b4e8@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210521 [GitHub] [zookeeper] maoling commented on pull request #1696: ZOOKEEPER-4295: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21409 in branch-3.5", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/redef0fb5474fd686781007de9ddb852b24f1b04131a248d9a4789183@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210604-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[zookeeper-issues] 20210727 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rba2a9ef1d0af882ab58fadb336a58818495245dda43d32a7d7837187@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210727 [jira] [Comment Edited] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raa413040db6d2197593cc03edecfd168732e697119e6447b0a25d525@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210727 [GitHub] [zookeeper] sandipbhattacharya commented on pull request #1678: ZOOKEEPER-4278: dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf148b2bf6c2754153a8629bc7495e216bd0bd4c915695486542a10b4@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210922 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6dac9bd799ceac499c7a7e152a9b0dc7f2fe7f89ec5605d129bb047b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Commented] (ZOOKEEPER-4278) dependency-check:check failing - netty-transport-4.1.60.Final CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r31044fb995e894749cb821c6fe56f487c16a97028e6e360e59f09d58@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5f2f120b2b8d099226473db1832ffb4d7c1d6dc2d228a164bf293a8e@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210923 [jira] [Created] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcae42fba06979934208bbd515584b241d3ad01d1bb8b063512644362@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Assigned] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9ec78dc409f3f1edff88f21cab53737f36aad46f582a9825389092e0@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210923 [jira] [Updated] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7b54563abebe3dbbe421e1ba075c2030d8d460372f8c79b7789684b6@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210924 [jira] [Resolved] (ZOOKEEPER-4385) Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r967002f0939e69bdec58f070735a19dd57c1f2b8f817949ca17cddae@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210924 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4385. Backport ZOOKEEPER-4278 to branch-3.5 to Address CVE-2021-21409", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9fe840c36b74f92b8d4a089ada1f9fd1d6293742efa18b10e06b66d2@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] }, "source": { "advisory": "GHSA-f256-j965-7f32", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21409", "datePublished": "2021-03-30T15:05:17", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:16.144Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-34428
Vulnerability from cvelistv5
Published
2021-06-22 14:45
Modified
2024-08-04 00:12
Severity ?
EPSS score ?
Summary
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jetty |
Version: 9.0.0 < unspecified Version: unspecified < Version: 10.0.0 < unspecified Version: unspecified < Version: 11.0.0 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T00:12:50.169Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210813-0003/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "9.0.0", "versionType": "custom" }, { "lessThanOrEqual": "9.4.40", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "10.0.0", "versionType": "custom" }, { "lessThanOrEqual": "10.0.2", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "11.0.0", "versionType": "custom" }, { "lessThanOrEqual": "11.0.2", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 2.9, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-613", "description": "CWE-613", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:55:25", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210813-0003/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-34428", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "9.0.0" }, { "version_affected": "\u003c=", "version_value": "9.4.40" }, { "version_affected": "\u003e=", "version_value": "10.0.0" }, { "version_affected": "\u003c=", "version_value": "10.0.2" }, { "version_affected": "\u003e=", "version_value": "11.0.0" }, { "version_affected": "\u003c=", "version_value": "11.0.2" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in." } ] }, "impact": { "cvss": { "baseScore": 2.9, "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-613" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://security.netapp.com/advisory/ntap-20210813-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210813-0003/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-34428", "datePublished": "2021-06-22T14:45:11", "dateReserved": "2021-06-09T00:00:00", "dateUpdated": "2024-08-04T00:12:50.169Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28165
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jetty |
Version: 7.2.2 < unspecified Version: unspecified < Version: 10.0.0.alpha0 < unspecified Version: unspecified < Version: 11.0.0.alpha0 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.085Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "7.2.2", "versionType": "custom" }, { "lessThanOrEqual": "9.4.38", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "10.0.0.alpha0", "versionType": "custom" }, { "lessThanOrEqual": "10.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "11.0.0.alpha0", "versionType": "custom" }, { "lessThanOrEqual": "11.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-400", "description": "CWE-400", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-551", "description": "CWE-551", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:20", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28165", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "7.2.2" }, { "version_affected": "\u003c=", "version_value": "9.4.38" }, { "version_affected": "\u003e=", "version_value": "10.0.0.alpha0" }, { "version_affected": "\u003c=", "version_value": "10.0.1" }, { "version_affected": "\u003e=", "version_value": "11.0.0.alpha0" }, { "version_affected": "\u003c=", "version_value": "11.0.1" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame." } ] }, "impact": { "cvss": { "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-400" } ] }, { "description": [ { "lang": "eng", "value": "CWE-551" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "name": "[oss-security] 20210420 Vulnerability in Jenkins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2021/04/20/3" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E" }, { "name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://security.netapp.com/advisory/ntap-20210611-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "DSA-4949", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28165", "datePublished": "2021-04-01T14:20:14", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.085Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-29425
Vulnerability from cvelistv5
Published
2021-04-13 06:50
Modified
2024-08-03 22:02
Severity ?
EPSS score ?
Summary
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | Apache Software Foundation | Apache Commons IO |
Version: Apache Commons IO 2.2 Version: Apache Commons IO 2.3 Version: Apache Commons IO 2.4 Version: Apache Commons IO 2.5 Version: Apache Commons IO 2.6 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T22:02:51.887Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://issues.apache.org/jira/browse/IO-556" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" }, { "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E" }, { "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E" }, { "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E" }, { "name": "[commons-user] 20210709 commons-fileupload dependency and CVE", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E" }, { "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0004/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Apache Commons IO", "vendor": "Apache Software Foundation", "versions": [ { "status": "affected", "version": "Apache Commons IO 2.2" }, { "status": "affected", "version": "Apache Commons IO 2.3" }, { "status": "affected", "version": "Apache Commons IO 2.4" }, { "status": "affected", "version": "Apache Commons IO 2.5" }, { "status": "affected", "version": "Apache Commons IO 2.6" } ] } ], "descriptions": [ { "lang": "en", "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-25T16:27:07", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://issues.apache.org/jira/browse/IO-556" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" }, { "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330%40%3Cdev.commons.apache.org%3E" }, { "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31%40%3Cdev.commons.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c%40%3Cdev.creadur.apache.org%3E" }, { "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34%40%3Cdev.myfaces.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5%40%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19%40%3Cdev.creadur.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a%40%3Cdev.creadur.apache.org%3E" }, { "name": "[commons-user] 20210709 commons-fileupload dependency and CVE", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a%40%3Cuser.commons.apache.org%3E" }, { "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa%40%3Cuser.commons.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80%40%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e%40%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0004/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "source": { "defect": [ "IO-556", "IO-559" ], "discovery": "UNKNOWN" }, "title": "Possible limited path traversal vulnerabily in Apache Commons IO ", "workarounds": [ { "lang": "en", "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize.\n " }, { "lang": "en", "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\".\n" } ], "x_generator": { "engine": "Vulnogram 0.0.9" }, "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@apache.org", "ID": "CVE-2021-29425", "STATE": "PUBLIC", "TITLE": "Possible limited path traversal vulnerabily in Apache Commons IO " }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Apache Commons IO", "version": { "version_data": [ { "version_affected": "=", "version_name": "Apache Commons IO", "version_value": "2.2" }, { "version_affected": "=", "version_name": "Apache Commons IO", "version_value": "2.3" }, { "version_affected": "=", "version_name": "Apache Commons IO", "version_value": "2.4" }, { "version_affected": "=", "version_name": "Apache Commons IO", "version_value": "2.5" }, { "version_affected": "=", "version_name": "Apache Commons IO", "version_value": "2.6" } ] } } ] }, "vendor_name": "Apache Software Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value." } ] }, "generator": { "engine": "Vulnogram 0.0.9" }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-20 Improper Input Validation" } ] } ] }, "references": { "reference_data": [ { "name": "https://issues.apache.org/jira/browse/IO-556", "refsource": "MISC", "url": "https://issues.apache.org/jira/browse/IO-556" }, { "name": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" }, { "name": "[commons-dev] 20210414 Re: [all] OSS Fuzz", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E" }, { "name": "[commons-dev] 20210415 Re: [all] OSS Fuzz", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E" }, { "name": "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E" }, { "name": "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E" }, { "name": "[kafka-users] 20210617 vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "name": "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E" }, { "name": "[commons-user] 20210709 commons-fileupload dependency and CVE", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E" }, { "name": "[commons-user] 20210709 Re: commons-fileupload dependency and CVE", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E" }, { "name": "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://security.netapp.com/advisory/ntap-20220210-0004/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220210-0004/" }, { "name": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] }, "source": { "defect": [ "IO-556", "IO-559" ], "discovery": "UNKNOWN" }, "work_around": [ { "lang": "en", "value": "Neither the method in question (FileNameUtils.normalize) nor any methods, that invoke it, do actually access any files. There\u0027s only a string returned, from which a path can be constructed. In other words, a possible workaround would be not passing any unsafe input to FileNameUtils.normalize.\n " }, { "lang": "en", "value": "Upgrade to Apache Commons IO 2.7, or later, where the same method returns the value null, as an indication of \"invalid input\".\n" } ] } } }, "cveMetadata": { "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-29425", "datePublished": "2021-04-13T06:50:12", "dateReserved": "2021-03-30T00:00:00", "dateUpdated": "2024-08-03T22:02:51.887Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28163
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.32 < unspecified Version: unspecified < Version: 10.0.0.beta2 < unspecified Version: unspecified < Version: 11.0.0.beta2 < unspecified Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.280Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "FEDORA-2021-444e38face", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/" }, { "name": "FEDORA-2021-35f06984d7", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/" }, { "name": "FEDORA-2021-fd66b2bd53", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThan": "unspecified", "status": "affected", "version": "9.4.32", "versionType": "custom" }, { "lessThanOrEqual": "9.4.38", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "10.0.0.beta2", "versionType": "custom" }, { "lessThanOrEqual": "10.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThan": "unspecified", "status": "affected", "version": "11.0.0.beta2", "versionType": "custom" }, { "lessThanOrEqual": "11.0.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:15", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E" }, { "name": "FEDORA-2021-444e38face", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/" }, { "name": "FEDORA-2021-35f06984d7", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/" }, { "name": "FEDORA-2021-fd66b2bd53", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28163", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003e=", "version_value": "9.4.32" }, { "version_affected": "\u003c=", "version_value": "9.4.38" }, { "version_affected": "\u003e=", "version_value": "10.0.0.beta2" }, { "version_affected": "\u003c=", "version_value": "10.0.1" }, { "version_affected": "\u003e=", "version_value": "11.0.0.beta2" }, { "version_affected": "\u003c=", "version_value": "11.0.1" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory." } ] }, "impact": { "cvss": { "baseScore": 2.7, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" }, { "name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E" }, { "name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E" }, { "name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E" }, { "name": "FEDORA-2021-444e38face", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/" }, { "name": "FEDORA-2021-35f06984d7", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/" }, { "name": "FEDORA-2021-fd66b2bd53", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/" }, { "name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E" }, { "name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E" }, { "name": "https://security.netapp.com/advisory/ntap-20210611-0006/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210611-0006/" }, { "name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28163", "datePublished": "2021-04-01T14:20:13", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.280Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21290
Vulnerability from cvelistv5
Published
2021-02-08 20:10
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.620Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" }, { "name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" }, { "name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E" }, { "name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0011/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "netty", "vendor": "netty", "versions": [ { "status": "affected", "version": "\u003c 4.1.59.Final" } ] } ], "descriptions": [ { "lang": "en", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\u0027s \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-378", "description": "CWE-378: Creation of Temporary File With Insecure Permissions", "lang": "en", "type": "CWE" } ] }, { "descriptions": [ { "cweId": "CWE-379", "description": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:23:48", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" }, { "name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" }, { "name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f%40%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020%40%3Cdev.tinkerpop.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05%40%3Cdev.kafka.apache.org%3E" }, { "name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29%40%3Cusers.activemq.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20220210-0011/" } ], "source": { "advisory": "GHSA-5mcr-gq6c-3hq2", "discovery": "UNKNOWN" }, "title": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21290", "STATE": "PUBLIC", "TITLE": "Local Information Disclosure Vulnerability in Netty on Unix-Like systems due temporary files" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "netty", "version": { "version_data": [ { "version_value": "\u003c 4.1.59.Final" } ] } } ] }, "vendor_name": "netty" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty\u0027s multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method \"File.createTempFile\" on unix-like systems creates a random file, but, by default will create this file with the permissions \"-rw-r--r--\". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty\u0027s \"AbstractDiskHttpData\" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own \"java.io.tmpdir\" when you start the JVM or use \"DefaultHttpDataFactory.setBaseDir(...)\" to set the directory to something that is only readable by the current user." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-378: Creation of Temporary File With Insecure Permissions" } ] }, { "description": [ { "lang": "eng", "value": "CWE-379: Creation of Temporary File in Directory with Insecure Permissions" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2", "refsource": "CONFIRM", "url": "https://github.com/netty/netty/security/advisories/GHSA-5mcr-gq6c-3hq2" }, { "name": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec", "refsource": "MISC", "url": "https://github.com/netty/netty/commit/c735357bf29d07856ad171c6611a2e1a0e0000ec" }, { "name": "[debian-lts-announce] 20210211 [SECURITY] [DLA 2555-1] netty security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/02/msg00016.html" }, { "name": "[kafka-jira] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc488f80094872ad925f0c73d283d4c00d32def81977438e27a3dc2bb@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210301 [jira] [Created] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2748097ea4b774292539cf3de6e3b267fc7a88d6c8ec40f4e2e87bd4@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [jira] [Assigned] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra503756ced78fdc2136bd33e87cb7553028645b261b1f5c6186a121e@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr opened a new pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r10308b625e49d4e9491d7e079606ca0df2f0a4d828f1ad1da64ba47b@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210301 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2fda4dab73097051977f2ab818f75e04fbcb15bb1003c8530eac1059@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r326ec431f06eab7cb7113a7a338e59731b8d556d05258457f12bac1b@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [jira] [Resolved] (KAFKA-12389) Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdba4f78ac55f803893a1a2265181595e79e3aa027e2e651dfba98c18@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] omkreddy closed pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0857b613604c696bf9743f0af047360baaded48b1c75cf6945a083c5@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.6 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5e4a540089760c8ecc2c411309d74264f1dad634ad93ad583ca16214@%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-commits] 20210302 [kafka] branch 2.7 updated: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r71dbb66747ff537640bb91eb0b2b24edef21ac07728097016f58b01f@%3Ccommits.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210302 [GitHub] [kafka] dongjinleekr commented on pull request #10235: KAFKA-12389: Upgrade of netty-codec due to CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra0fc2b4553dd7aaf75febb61052b7f1243ac3a180a71c01f29093013@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5bf303d7c04da78f276765da08559fdc62420f1df539b277ca31f63b@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210311 [jira] [Created] (ZOOKEEPER-4242) Upgrade Netty library to \u003e 4.1.59 due to security vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r743149dcc8db1de473e6bff0b3ddf10140a7357bc2add75f7d1fbb12@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2535) Netty 4.1.52 flagged as medium security violation", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4efed2c501681cb2e8d629da16e48d9eac429624fd4c9a8c6b8e7020@%3Cdev.tinkerpop.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" }, { "name": "DSA-4885", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "https://www.oracle.com/security-alerts/cpuApr2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "name": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r0053443ce19ff125981559f8c51cf66e3ab4350f47812b8cf0733a05@%3Cdev.kafka.apache.org%3E" }, { "name": "[activemq-users] 20210715 Next ActiveMQ Artemis Release - CVE-2021-21290 vulnerability", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5c701840aa2845191721e39821445e1e8c59711e71942b7796a6ec29@%3Cusers.activemq.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://security.netapp.com/advisory/ntap-20220210-0011/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220210-0011/" } ] }, "source": { "advisory": "GHSA-5mcr-gq6c-3hq2", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21290", "datePublished": "2021-02-08T20:10:16", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.620Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-27568
Vulnerability from cvelistv5
Published
2021-02-23 01:32
Modified
2024-08-03 21:26
Severity ?
EPSS score ?
Summary
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
References
â–Ľ | URL | Tags |
---|---|---|
https://github.com/netplex/json-smart-v1/issues/7 | x_refsource_MISC | |
https://github.com/netplex/json-smart-v2/issues/60 | x_refsource_MISC | |
https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396%40%3Ccommits.druid.apache.org%3E | mailing-list, x_refsource_MLIST | |
https://www.oracle.com//security-alerts/cpujul2021.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpujan2022.html | x_refsource_MISC | |
https://www.oracle.com/security-alerts/cpuapr2022.html | x_refsource_MISC |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:26:09.165Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netplex/json-smart-v1/issues/7" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netplex/json-smart-v2/issues/60" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh opened a new pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [druid] branch master updated: Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh merged pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396%40%3Ccommits.druid.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "descriptions": [ { "lang": "en", "value": "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:09", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netplex/json-smart-v1/issues/7" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netplex/json-smart-v2/issues/60" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh opened a new pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6%40%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [druid] branch master updated: Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa%40%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh merged pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396%40%3Ccommits.druid.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-27568", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/netplex/json-smart-v1/issues/7", "refsource": "MISC", "url": "https://github.com/netplex/json-smart-v1/issues/7" }, { "name": "https://github.com/netplex/json-smart-v2/issues/60", "refsource": "MISC", "url": "https://github.com/netplex/json-smart-v2/issues/60" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh opened a new pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf70210b4d63191c0bfb2a0d5745e104484e71703bf5ad9cb01c980c6@%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [druid] branch master updated: Suppress CVE-2021-27568 from json-smart 2.3 dependency (#11438)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re237267da268c690df5e1c6ea6a38a7fc11617725e8049490f58a6fa@%3Ccommits.druid.apache.org%3E" }, { "name": "[druid-commits] 20210712 [GitHub] [druid] zachjsh merged pull request #11438: Suppress CVE-2021-27568 from json-smart 2.3 dependency", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb6287f5aa628c8d9af52b5401ec6cc51b6fc28ab20d318943453e396@%3Ccommits.druid.apache.org%3E" }, { "name": "https://www.oracle.com//security-alerts/cpujul2021.html", "refsource": "MISC", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-27568", "datePublished": "2021-02-23T01:32:14", "dateReserved": "2021-02-23T00:00:00", "dateUpdated": "2024-08-03T21:26:09.165Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-21295
Vulnerability from cvelistv5
Published
2021-03-09 18:35
Modified
2024-08-03 18:09
Severity ?
EPSS score ?
Summary
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | netty | io.netty:netty-codec-http2 |
Version: < 4.1.60.Final |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T18:09:15.344Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/Netflix/zuul/pull/980" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E" }, { "name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E" }, { "name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "io.netty:netty-codec-http2", "vendor": "netty", "versions": [ { "status": "affected", "version": "\u003c 4.1.60.Final" } ] } ], "descriptions": [ { "lang": "en", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:23:53", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/Netflix/zuul/pull/980" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f%40%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5%40%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325%40%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890%40%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8%40%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c%40%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f%40%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8%40%3Ccommits.hbase.apache.org%3E" }, { "name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd%40%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6%40%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190%40%3Cissues.hbase.apache.org%3E" }, { "name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4885", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898%40%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c%40%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5%40%3Cissues.flink.apache.org%3E" }, { "name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3%40%3Cdev.jackrabbit.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb%40%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d%40%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071%40%3Ccommits.pulsar.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468%40%3Ccommits.servicecomb.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf%40%3Ccommits.servicecomb.apache.org%3E" } ], "source": { "advisory": "GHSA-wm47-8v5p-wjpj", "discovery": "UNKNOWN" }, "title": "Possible request smuggling in HTTP/2 due missing validation", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21295", "STATE": "PUBLIC", "TITLE": "Possible request smuggling in HTTP/2 due missing validation" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "io.netty:netty-codec-http2", "version": { "version_data": [ { "version_value": "\u003c 4.1.60.Final" } ] } } ] }, "vendor_name": "netty" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers \u0026 clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel\u0027s pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-444 Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj", "refsource": "CONFIRM", "url": "https://github.com/netty/netty/security/advisories/GHSA-wm47-8v5p-wjpj" }, { "name": "https://github.com/Netflix/zuul/pull/980", "refsource": "MISC", "url": "https://github.com/Netflix/zuul/pull/980" }, { "name": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4", "refsource": "MISC", "url": "https://github.com/netty/netty/commit/89c241e3b1795ff257af4ad6eadc616cb2fb3dc4" }, { "name": "[ranger-dev] 20210317 [jira] [Created] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r02e467123d45006a1dda20a38349e9c74c3a4b53e2e07be0939ecb3f@%3Cdev.ranger.apache.org%3E" }, { "name": "[ranger-dev] 20210317 [jira] [Assigned] (RANGER-3209) Upgrade netty to 4.1.60+ due to CVE-2021-21290 and CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r7bb3cdc192e9a6f863d3ea05422f09fa1ae2b88d4663e63696ee7ef5@%3Cdev.ranger.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] yaswanthnadella opened a new issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcd163e421273e8dca1c71ea298dce3dd11b41d51c3a812e0394e6a5d@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] aahmed-se opened a new pull request #10073: Upgrade Netty version to 4.1.60.final", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9924ef9357537722b28d04c98a189750b80694a19754e5057c34ca48@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[pulsar-commits] 20210329 [GitHub] [pulsar] merlimat closed issue #10071: CVE-2021-21295 \u0026 CVE-2021-21290", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb51d6202ff1a773f96eaa694b7da4ad3f44922c40b3d4e1a19c2f325@%3Ccommits.pulsar.apache.org%3E" }, { "name": "[bookkeeper-issues] 20210330 [GitHub] [bookkeeper] eolivelli opened a new issue #2669: Update Netty to 4.1.60.final", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r790c2926efcd062067eb18fde2486527596d7275381cfaff2f7b3890@%3Cissues.bookkeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1908a34b9cc7120e5c19968a116ddbcffea5e9deb76c2be4fa461904@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb06c1e766aa45ee422e8261a8249b561784186483e8f742ea627bda4@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Updated] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5e66e286afb5506cdfe9bbf68a323e8d09614f6d1ddc806ed0224700@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Created] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb592033a2462548d061a83ac9449c5ff66098751748fcd1e2d008233@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210330 [jira] [Created] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r59bac5c09f7a4179b9e2460e8f41c278aaf3b9a21cc23678eb893e41@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210330 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc0087125cb15b4b78e44000f841cd37fefedfda942fd7ddf3ad1b528@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Assigned] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1bca0b81193b74a451fc6d687ab58ef3a1f5ec40f6c61561d8dd9509@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3ff9e735ca33612d900607dc139ebd38a64cadc6bce292e53eb86d7f@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r312ce5bd3c6bf08c138349b507b6f1c25fe9cf40b6f2b0014c9d12b1@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Updated] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcfc535afd413d9934d6ee509dce234dac41fa3747a7555befb17447e@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr commented on pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3c293431c781696681abbfe1c573c2d9dcdae6fd3ff330ea22f0433f@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210331 [GitHub] [kafka] dongjinleekr opened a new pull request #10448: KAFKA-12583: Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r9051e4f484a970b5566dc1870ecd9c1eb435214e2652cf3ea4d0c0cc@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbadcbcb50195f00bbd196403865ced521ca70787999583c07be38d0e@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] eolivelli commented on pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r67e6a636cbc1958383a1cd72b7fd0cd7493360b1dd0e6c12f5761798@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] ayushmantri opened a new pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6a29316d758db628a1df49ca219d64caf493999b52cc77847bfba675@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad commented on pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5470456cf1409a99893ae9dd57439799f6dc1a60fda90e11570f66fe@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] arshadmohammad closed pull request #1670: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rbed09768f496244a2e138dbbe6d2847ddf796c9c8ef9e50f2e3e30d9@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-notifications] 20210331 [GitHub] [zookeeper] asfgit closed pull request #1669: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5232e33a1f3b310a3e083423f736f3925ebdb150844d60ac582809f8@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6a122c25e352eb134d01e7f4fc4d345a491c5ee9453fef6fc754d15b@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r22adb45fe902aeafcd0a1c4db13984224a667676c323c66db3af38a1@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch master updated: ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r837bbcbf12e335e83ab448b1bd2c1ad7e86efdc14034b23811422e6a@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-commits] 20210331 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4272 ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r70cebada51bc6d49138272437d8a28fe971d0197334ef906b575044c@%3Ccommits.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210331 [jira] [Resolved] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re6207ebe2ca4d44f2a6deee695ad6f27fd29d78980f1d46ed1574f91@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210401 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rdc096e13ac4501ea2e2b03a197682a313b85d3d3ec89d5ae5551b384@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[kafka-dev] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5fc5786cdd640b1b0a3c643237ce0011f0a08a296b11c0e2c669022c@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Commented] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r96ce18044880c33634c4b3fcecc57b8b90673c9364d63eba00385523@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210401 [jira] [Resolved] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rc165e36ca7cb5417aec3f21bbc4ec00fb38ecebdd96a82cfab9bd56f@%3Cjira.kafka.apache.org%3E" }, { "name": "[zookeeper-issues] 20210402 [jira] [Commented] (ZOOKEEPER-4272) Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2936730ef0a06e724b96539bc7eacfcd3628987c16b1b99c790e7b87@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell merged pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r22b2f34447d71c9a0ad9079b7860323d5584fb9b40eb42668c21eaf1@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] HorizonNet commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb95d42ce220ed4a4683aa17833b5006d657bc4254bc5cb03cd5e6bfb@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Assigned] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r393a339ab0b63ef9e6502253eeab26e7643b3e69738d5948b2b1d064@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r040a5e4d9cca2f98354b58a70b27099672276f66995c4e2e39545d0b@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r27b7e5a588ec826b15f38c40be500c50073400019ce7b8adfd07fece@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] apurtell commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r86cd38a825ab2344f3e6cad570528852f29a4ffdf56ab67d75c36edf@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Updated] (HBASE-25728) [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra83096bcbfe6e1f4d54449f8a013117a0536404e9d307ab4a0d34f81@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-commits] 20210402 [hbase-thirdparty] branch master updated: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295 (#48)", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rcf3752209a8b04996373bf57fdc808b3bfaa2be8702698a0323641f8@%3Ccommits.hbase.apache.org%3E" }, { "name": "[hbase-dev] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r905b92099998291956eebf4f1c5d95f5a0cbcece2946cc46d32274fd@%3Cdev.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #48: HBASE-25728 [hbase-thirdparty] Upgrade Netty library to \u003e= 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r6aee7e3566cb3e51eeed2fd8786704d91f80a7581e00a787ba9f37f6@%3Cissues.hbase.apache.org%3E" }, { "name": "[hbase-issues] 20210402 [jira] [Created] (HBASE-25728) [hbase-thirdparty] ZOOKEEPER-4272: Upgrade Netty library to \u003e 4.1.60 due to security vulnerability CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r268850f26639ebe249356ed6d8edb54ee8943be6f200f770784fb190@%3Cissues.hbase.apache.org%3E" }, { "name": "[kafka-jira] 20210402 [jira] [Assigned] (KAFKA-12583) Upgrade of netty-codec due to CVE-2021-21295", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r15f66ada9a5faf4bac69d9e7c4521cedfefa62df9509881603791969@%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4885", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4885" }, { "name": "[flink-issues] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r5baac01f9e06c40ff7aab209d5751b3b58802c63734e33324b70a06a@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-dev] 20210424 [jira] [Created] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra64d56a8a331ffd7bdcd24a9aaaeeedeacd5d639f5a683389123f898@%3Cdev.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd8f72411fb75b98d366400ae789966373b5c3eb3f511e717caf3e49e@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210426 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/re7c69756a102bebce8b8681882844a53e2f23975a189363e68ad0324@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210511 [jira] [Commented] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r855b4b6814ac829ce2d48dd9d8138d07f33387e710de798ee92c011e@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210610 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r0b09f3e31e004fe583f677f7afa46bd30110904576c13c5ac818ac2c@%3Cissues.flink.apache.org%3E" }, { "name": "[flink-issues] 20210618 [jira] [Updated] (FLINK-22441) In Flink v1.11.3 contains netty(version:3.10.6) netty(version:4.1.60) . There are many vulnerabilities, like CVE-2021-21409 etc. please confirm these version and fix. thx", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r602e98daacc98934f097f07f2eed6eb07c18bfc1949c8489dc7bfcf5@%3Cissues.flink.apache.org%3E" }, { "name": "[jackrabbit-dev] 20210709 [GitHub] [jackrabbit-oak] blackat opened a new pull request #321: Update netty to resolve CVE-2021-21295 and BDSA-2018-4022", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r3c4596b9b37f5ae91628ccf169d33cd5a0da4b16b6c39d5bad8e03f3@%3Cdev.jackrabbit.apache.org%3E" }, { "name": "https://security.netapp.com/advisory/ntap-20210604-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210604-0003/" }, { "name": "[kudu-issues] 20210904 [jira] [Created] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd4a6b7dec38ea6cd28b6f94bd4b312629a52b80be3786d5fb0e474bc@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210904 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rca0978b634a0c3ebee4126ec29c7f570b165fae3f8f3658754c1cbd3@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Resolved] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf934292a4a1c189827f625d567838d2c1001e4739b158638d844105b@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Commented] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ra655e5cec74d1ddf62adacb71d398abd96f3ea2c588f6bbf048348eb@%3Cissues.kudu.apache.org%3E" }, { "name": "[kudu-issues] 20210907 [jira] [Updated] (KUDU-3313) There is a CVE-2021-21409 vulnerability in netty version 4.1.60", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r4ea2f1a9d79d4fc1896e085f31fb60a21b1770d0a26a5250f849372d@%3Cissues.kudu.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[pulsar-commits] 20211020 [GitHub] [pulsar] Shoothzj opened a new pull request #12437: [Security] Bump grpc to 1.41.0", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r584cf871f188c406d8bd447ff4e2fd9817fca862436c064d0951a071@%3Ccommits.pulsar.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "name": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rb523bb6c60196c5f58514b86a8585c2069a4852039b45de3818b29d2@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r57245853c7245baab09eae08728c52b58fd77666538092389cc3e882@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r490ca5611c150d193b320a2608209180713b7c68e501b67b0cffb925@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r6d32fc3cd547f7c9a288a57c7f525f5d00a00d5d163613e0d10a23ef@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rdb4db3f5a9c478ca52a7b164680b88877a5a9c174e7047676c006b2c@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r8db1d7b3b9acc9e8d2776395e280eb9615dd7790e1da8c57039963de@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r2e93ce23e04c3f0a61e987d1111d0695cb668ac4ec4edbf237bd3e80@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rc73b8dd01b1be276d06bdf07883ecd93fe1a01f139a99ef30ba4308c@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rd25c88aad0e76240dd09f0eb34bdab924933946429e068a167adcb73@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rcfc154eb2de23d2dc08a56100341161e1a40a8ea86c693735437e8f2@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/ra96c74c37ed7252f78392e1ad16442bd16ae72a4d6c8db50dd55c88b@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r04a3e0d9f53421fb946c60cc54762b7151dc692eb4e39970a7579052@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/racc191a1f70a4f13155e8002c61bddef2870b26441971c697436ad5d@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rf87b870a22aa5c77c27900967b518a71a7d954c2952860fce3794b60@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r16c4b55ac82be72f28adad4f8061477e5f978199d5725691dcc82c24@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rae198f44c3f7ac5264045e6ba976be1703cff38dcf1609916e50210d@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/re4f70b62843e92163fab03b65e2aa8078693293a0c36f1cc260079ed@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/reafc834062486adfc7be5bb8f7b7793be0d33f483678a094c3f9d468@%3Ccommits.servicecomb.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r8bcaf7821247b1836b10f6a1a3a3212b06272fd4cde4a859de1b78cf@%3Ccommits.servicecomb.apache.org%3E" } ] }, "source": { "advisory": "GHSA-wm47-8v5p-wjpj", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21295", "datePublished": "2021-03-09T18:35:19", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.344Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-28169
Vulnerability from cvelistv5
Published
2021-06-09 01:55
Modified
2024-08-03 21:40
Severity ?
EPSS score ?
Summary
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
â–Ľ | The Eclipse Foundation | Eclipse Jetty |
Version: unspecified < Version: unspecified < Version: unspecified < |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T21:40:12.267Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://security.netapp.com/advisory/ntap-20210727-0009/" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Eclipse Jetty", "vendor": "The Eclipse Foundation", "versions": [ { "lessThanOrEqual": "9.4.40", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThanOrEqual": "10.0.2", "status": "affected", "version": "unspecified", "versionType": "custom" }, { "lessThanOrEqual": "11.0.2", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-19T23:54:32", "orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "shortName": "eclipse" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq" }, { "name": "[kafka-users] 20210617 vulnerabilities", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E" }, { "name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b%40%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c%40%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25%40%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_MISC" ], "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://security.netapp.com/advisory/ntap-20210727-0009/" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "tags": [ "x_refsource_MISC" ], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security@eclipse.org", "ID": "CVE-2021-28169", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": "\u003c=", "version_value": "9.4.40" }, { "version_affected": "\u003c=", "version_value": "10.0.2" }, { "version_affected": "\u003c=", "version_value": "11.0.2" } ] } } ] }, "vendor_name": "The Eclipse Foundation" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application." } ] }, "impact": { "cvss": { "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq" }, { "name": "[kafka-users] 20210617 vulnerabilities", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E" }, { "name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html" }, { "name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b@%3Cdev.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c@%3Cjira.kafka.apache.org%3E" }, { "name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25@%3Cjira.kafka.apache.org%3E" }, { "name": "DSA-4949", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4949" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E" }, { "name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E" }, { "name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E" }, { "name": "https://www.oracle.com/security-alerts/cpuoct2021.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E", "refsource": "MISC", "url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E" }, { "name": "https://security.netapp.com/advisory/ntap-20210727-0009/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20210727-0009/" }, { "name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "name": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" } ] } } } }, "cveMetadata": { "assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c", "assignerShortName": "eclipse", "cveId": "CVE-2021-28169", "datePublished": "2021-06-09T01:55:09", "dateReserved": "2021-03-12T00:00:00", "dateUpdated": "2024-08-03T21:40:12.267Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.