CVE-2021-28163 : In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 1

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Published 2021-04-01 15:15:14

Updated 2022-05-12 14:36:02

Source Eclipse Foundation

View at NVD, CVE.org

Vulnerability category: Information leak

Products affected by CVE-2021-28163

Apache » Solr » Version: 8.8.1
cpe:2.3:a:apache:solr:8.8.1:*:*:*:*:*:*:*
Matching versions
Apache » Ignite
Versions before (<) 2.1.1
cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Services Gatekeeper » Version: 7.0
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Element Manager » Version: 8.2.2
cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Session Report Manager
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.2.4.0
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Session Route Manager
Versions from including (>=) 8.0.0 and up to, including, (<=) 8.2.4.0
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Digital Experience » Version: 20.1
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Digital Experience » Version: 21.1
cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*
Matching versions
Oracle » Autovue For Agile Product Lifecycle Management » Version: 21.0.2
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
Matching versions
Oracle » Siebel Core - Automation
Versions up to, including, (<=) 21.9
cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Apis » Version: 20.1
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
Matching versions
Oracle » Banking Apis » Version: 21.1
cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 32
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Netapp » Santricity Cloud Connector » Version: N/A
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter » Version: N/A
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Os Controller
Versions from including (>=) 11.0.0 and up to, including, (<=) 11.70.1
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Santricity Web Services » Version: N/A For Web Services Proxy
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
Matching versions
Netapp » Virtual Storage Console » For Vmware Vsphere
Versions from including (>=) 9.6
cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Storage Replication Adapter For Clustered Data Ontap » For Vmware Vsphere
Versions from including (>=) 9.6
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:*
Matching versions
Netapp » Vasa Provider For Clustered Data Ontap
Versions from including (>=) 9.6
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*
Matching versions
Netapp » Element Plug-in For Vcenter Server » Version: N/A
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*
Matching versions
Netapp » Cloud Manager » Version: N/A
cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
Matching versions
Netapp » E-series Performance Analyzer » Version: N/A
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
Matching versions
Netapp » Snapcenter Plug-in » Version: N/A For Vmware Vsphere
cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*
Matching versions
Eclipse » Jetty
Versions from including (>=) 9.4.32 and before (<) 9.4.39
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 10.0.0 Update Beta2
cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 10.0.1
cpe:2.3:a:eclipse:jetty:10.0.1:*:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 11.0.0
cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 11.0.0 Update Beta2
cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 11.0.0 Update Beta3
cpe:2.3:a:eclipse:jetty:11.0.0:beta3:*:*:*:*:*:*
Matching versions
Eclipse » Jetty » Version: 11.0.1
cpe:2.3:a:eclipse:jetty:11.0.1:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-28163

EPSS FAQ

0.18%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-28163

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:P/I:N/A:N	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
2.7	LOW	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N	1.2	1.4	Eclipse Foundation
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None
2.7	LOW	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N	1.2	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Unchanged Confidentiality: Low Integrity: None Availability: None

CWE ids for CVE-2021-28163

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Assigned by: nvd@nist.gov (Primary)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Assigned by: emo@eclipse.org (Secondary)

References for CVE-2021-28163

https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq

Symlink Directory Exposes Webapp Directory Contents · Advisory · eclipse/jetty.project · GitHub
Exploit;Third Party Advisory
https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E

[jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Not Applicable;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E

[jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] AnanyaSingh2121 opened a new pull request #1769: Update Jetty: 9.4.39.v20210325 → 9.4.43.v20210629 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/

[SECURITY] Fedora 32 Update: jetty-9.4.40-1.fc32 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20210611-0006/

April 2021 Eclipse Jetty Vulnerabilities in NetApp Products | NetApp Product Security
Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E

[GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E

[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E

[jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/

[SECURITY] Fedora 33 Update: jetty-9.4.40-1.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E

[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr - Pony Mail
Mailing List;Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E

Pony Mail!
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E

[jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E

[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr - Pony Mail
Mailing List;Patch;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E

[jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr - Pony Mail
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E

[jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E

[jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/

[SECURITY] Fedora 34 Update: jetty-9.4.40-1.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E

[jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E

[GitHub] [zookeeper] purpul opened a new pull request #1768: Update Jetty: 9.4.39.v20210325 → 9.4.42.v20210604 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E

[jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 - Pony Mail
Mailing List;Third Party Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-28163

Products affected by CVE-2021-28163

Exploit prediction scoring system (EPSS) score for CVE-2021-28163

CVSS scores for CVE-2021-28163

CWE ids for CVE-2021-28163

References for CVE-2021-28163