CVE-2021-28163

Summary

CVE	CVE-2021-28163
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-04-01 15:15:00 UTC
Updated	2023-11-07 03:32:00 UTC
Description	In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Risk And Classification

Problem Types: CWE-59

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Ignite	All	All	All	All
Application	Apache	Solr	8.8.1	All	All	All
Application	Eclipse	Jetty	All	All	All	All
Application	Eclipse	Jetty	10.0.0	beta2	All	All
Application	Eclipse	Jetty	10.0.1	All	All	All
Application	Eclipse	Jetty	11.0.0	-	All	All
Application	Eclipse	Jetty	11.0.0	beta2	All	All
Application	Eclipse	Jetty	11.0.0	beta3	All	All
Application	Eclipse	Jetty	11.0.1	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Netapp	Cloud Manager	-	All	All	All
Application	Netapp	E-series Performance Analyzer	-	All	All	All
Application	Netapp	E-series Santricity Os Controller	All	All	All	All
Application	Netapp	E-series Santricity Web Services	-	All	All	All
Application	Netapp	Element Plug-in For Vcenter Server	-	All	All	All
Application	Netapp	Santricity Cloud Connector	-	All	All	All
Application	Netapp	Snapcenter	-	All	All	All
Application	Netapp	Snapcenter Plug-in	-	All	All	All
Application	Netapp	Snapcenter Plug-in For Vmware Vsphere	-	All	All	All
Application	Netapp	Storage Replication Adapter For Clustered Data Ontap	All	All	All	All
Application	Netapp	Vasa Provider For Clustered Data Ontap	All	All	All	All
Application	Netapp	Virtual Storage Console	All	All	All	All
Application	Oracle	Autovue For Agile Product Lifecycle Management	21.0.2	All	All	All
Application	Oracle	Banking Apis	20.1	All	All	All
Application	Oracle	Banking Apis	21.1	All	All	All
Application	Oracle	Banking Digital Experience	20.1	All	All	All
Application	Oracle	Banking Digital Experience	21.1	All	All	All
Application	Oracle	Communications Element Manager	8.2.2	All	All	All
Application	Oracle	Communications Services Gatekeeper	7.0	All	All	All
Application	Oracle	Communications Session Report Manager	All	All	All	All
Application	Oracle	Communications Session Route Manager	All	All	All	All
Application	Oracle	Siebel Core - Automation	All	All	All	All

References

Reference	Source	Link	Tags
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MISC	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42		lists.apache.org
[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty		lists.apache.org
[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42		lists.apache.org
[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr		lists.apache.org
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42		lists.apache.org
[SECURITY] Fedora 34 Update: jetty-9.4.40-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Oracle Critical Patch Update Advisory - April 2022	MISC	www.oracle.com
[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[SECURITY] Fedora 33 Update: jetty-9.4.40-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34...		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Oracle Critical Patch Update Advisory - October 2021	MISC	www.oracle.com
Symlink Directory Exposes Webapp Directory Contents · Advisory · eclipse/jetty.project · GitHub	CONFIRM	github.com
Pony Mail!	MISC	lists.apache.org
[SECURITY] Fedora 32 Update: jetty-9.4.40-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty		lists.apache.org
Oracle Critical Patch Update Advisory - January 2022	MISC	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty		lists.apache.org
April 2021 Eclipse Jetty Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 32 Update: jetty-9.4.40-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: jetty-9.4.40-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813		lists.apache.org
lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29...		lists.apache.org
[SECURITY] Fedora 33 Update: jetty-9.4.40-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr		lists.apache.org
[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813		lists.apache.org
[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr		lists.apache.org
[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr		lists.apache.org
[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

180316 Debian Security Update for jetty9 (CVE-2021-28163)
239359 Red Hat Update for OpenShift Container Platform 4.7.11 (RHSA-2021:1551)
281280 Fedora Security Update for jetty (FEDORA-2021-444e38face)
281281 Fedora Security Update for jetty (FEDORA-2021-35f06984d7)
281283 Fedora Security Update for jetty (FEDORA-2021-fd66b2bd53)
750663 SUSE Enterprise Linux Security Update for jetty-minimal (SUSE-SU-2021:2005-1)
750781 OpenSUSE Security Update for jetty-minimal (openSUSE-SU-2021:2005-1)
770059 Red Hat OpenShift Container Platform 4.7.11 Security and Bug Fix Update (RHSA-2021:1551)
770112 Red Hat OpenShift Container Platform 4.7 Security Update (RHSA-2021-1551)
980350 Java (maven) Security Update for org.eclipse.jetty:jetty-deploy (GHSA-j6qj-j888-vvgq)