GHSA-j6qj-j888-vvgq

Опубликовано: 06 апр. 2021

Источник: github

Github: Прошло ревью

CVSS3: 2.7

Описание

Directory exposure in jetty

Impact

If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}:

demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy

Workarounds

Do not use a symlink

Ссылки

Пакеты

Наименование

org.eclipse.jetty:jetty-deploy

maven

Затронутые версииВерсия исправления

>= 9.4.32, < 9.4.39

9.4.39

Наименование

org.eclipse.jetty:jetty-deploy

maven

Затронутые версииВерсия исправления

>= 10.0.0, < 10.0.2

10.0.2

Наименование

org.eclipse.jetty:jetty-deploy

maven

Затронутые версииВерсия исправления

>= 11.0.0, < 11.0.2

11.0.2

EPSS

Процентиль: 36%

0.00154

Низкий

2.7 Low

CVSS3

CVE ID

CVE-2021-28163

Дефекты

CWE-200

CWE-59

Связанные уязвимости

CVE-2021-28163

CVSS3: 2.7

ubuntu

почти 5 лет назад

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.