CVE-2021-28163

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Published: Apr 1, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-28163
GHSA: GHSA-j6qj-j888-vvgq
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 2.7
AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
eclipse / jetty	11.0.0-beta2	11.0.0-beta2.x
eclipse / jetty	10.0.0-beta2	10.0.0-beta2.x
eclipse / jetty	11.0.0	11.0.0.x
eclipse / jetty	11.0.1	11.0.1.x
eclipse / jetty	11.0.0-beta3	11.0.0-beta3.x
eclipse / jetty	10.0.1	10.0.1.x
eclipse / jetty	9.4.32	9.4.39
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
apache / solr	8.8.1	8.8.1.x
apache / ignite	-	2.1.1
netapp / virtual_storage_console	9.6	9.6.x
netapp / storage_replication_adapter_for_clustered_data_ontap	9.6	9.6.x
netapp / vasa_provider_for_clustered_data_ontap	9.6	9.6.x
netapp / e-series_santricity_os_controller	11.0.0	11.70.1.x
oracle / banking_digital_experience	20.1	20.1.x
oracle / communications_services_gatekeeper	7.0	7.0.x
oracle / autovue_for_agile_product_lifecycle_management	21.0.2	21.0.2.x
oracle / siebel_core_-_automation	-	21.9.x
oracle / communications_session_report_manager	8.0.0	8.2.4.0.x
oracle / communications_session_route_manager	8.0.0	8.2.4.0.x
oracle / communications_element_manager	8.2.2	8.2.2.x
oracle / banking_digital_experience	21.1	21.1.x
oracle / banking_apis	20.1	20.1.x
oracle / banking_apis	21.1	21.1.x
org.eclipse.jetty / jetty-deploy	9.4.32	9.4.39
org.eclipse.jetty / jetty-deploy	10.0.0	10.0.2
org.eclipse.jetty / jetty-deploy	11.0.0	11.0.2

Vulnerability Database

289,599

CVE-2021-28163