Vulnerability Database

289,599

Total vulnerabilities in the database

CVE-2020-27216

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

CVSS v3:

  • Severity: High
  • Score: 7
  • AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

  • Severity: Low
  • Score: 4.4
  • AV:L/AC:M/Au:N/C:P/I:P/A:P

CWEs:

Software From Fixed in
eclipse / jetty 11.0.0-alpha1 11.0.0-alpha1.x
eclipse / jetty 11.0.0-beta1 11.0.0-beta1.x
eclipse / jetty 11.0.0-beta2 11.0.0-beta2.x
eclipse / jetty 10.0.0-beta1 10.0.0-beta1.x
eclipse / jetty 10.0.0-beta2 10.0.0-beta2.x
eclipse / jetty 10.0.0-beta0 10.0.0-beta0.x
eclipse / jetty 10.0.0-alpha1 10.0.0-alpha1.x
eclipse / jetty 9.4.0 9.4.32.x
eclipse / jetty 1.0 9.3.29
netapp / vasa_provider 7.2 7.2.x
netapp / virtual_storage_console 7.2 7.2.x
netapp / storage_replication_adapter 7.2 7.2.x
oracle / flexcube_private_banking 12.1.0 12.1.0.x
oracle / flexcube_private_banking 12.0.0 12.0.0.x
oracle / communications_offline_mediation_controller 12.0.0.3.0 12.0.0.3.0.x
oracle / communications_services_gatekeeper 7.0 7.0.x
oracle / communications_element_manager 8.2.1 8.2.2.1.x
oracle / flexcube_core_banking 11.5.0 11.9.0.x
oracle / communications_application_session_controller 3.9m0p2 3.9m0p2.x
oracle / communications_pricing_design_center 12.0.0.3.0 12.0.0.3.0.x
oracle / jd_edwards_enterpriseone_tools - 9.2.6.0
oracle / communications_converged_application_server_-_service_controller 6.2 6.2.x
oracle / siebel_core_-_automation - 21.5.x
apache / beam 2.21.0 2.21.0.x
apache / beam 2.22.0 2.22.0.x
apache / beam 2.23.0 2.23.0.x
apache / beam 2.24.0 2.24.0.x
apache / beam 2.25.0 2.25.0.x
debian / debian_linux 9.0 9.0.x
debian / debian_linux 10.0 10.0.x
org.eclipse.jetty / jetty-webapp - 9.4.33
org.mortbay.jetty / jetty-webapp - 9.4.33
org.eclipse.jetty / jetty-webapp 10.0.0.beta1 10.0.0.beta3
org.mortbay.jetty / jetty-webapp 10.0.0.beta1 10.0.0.beta3
org.eclipse.jetty / jetty-webapp 11.0.0.beta1 11.0.0.beta3
org.mortbay.jetty / jetty-webapp 11.0.0.beta1 11.0.0.beta3