Описание
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
Отчет
In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws. Red Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | jetty-server | Not affected | ||
| Red Hat Enterprise Linux 7 | jetty | Out of support scope | ||
| Red Hat Enterprise Linux 8 | eclipse:rhel8/jetty | Will not fix | ||
| Red Hat Integration Service Registry | jetty-server | Affected | ||
| Red Hat JBoss A-MQ 6 | jetty-server | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty-server | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Affected | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hive | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
2.7 Low
CVSS3
Связанные уязвимости
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0. ...
Уязвимость компонента webapps контейнера сервлетов Eclipse Jetty, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
2.7 Low
CVSS3