CVE-2021-28163
01.04.2021, 15:15
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
| Vendor | Product | Version |
|---|---|---|
| eclipse | jetty | 9.4.32 ≤ 𝑥 < 9.4.39 |
| eclipse | jetty | 10.0.0:beta2 |
| eclipse | jetty | 10.0.1 |
| eclipse | jetty | 11.0.0 |
| eclipse | jetty | 11.0.0:beta2 |
| eclipse | jetty | 11.0.0:beta3 |
| eclipse | jetty | 11.0.1 |
| apache | ignite | 𝑥 < 2.1.1 |
| apache | solr | 8.8.1 |
| netapp | cloud_manager | - |
| netapp | e-series_performance_analyzer | - |
| netapp | e-series_santricity_os_controller | 11.0.0 ≤ 𝑥 ≤ 11.70.1 |
| netapp | e-series_santricity_web_services | - |
| netapp | element_plug-in_for_vcenter_server | - |
| netapp | santricity_cloud_connector | - |
| netapp | snapcenter | - |
| netapp | snapcenter_plug-in | - |
| netapp | storage_replication_adapter_for_clustered_data_ontap | 9.6 ≤ |
| netapp | vasa_provider_for_clustered_data_ontap | 9.6 ≤ |
| netapp | virtual_storage_console | 9.6 ≤ |
| oracle | autovue_for_agile_product_lifecycle_management | 21.0.2 |
| oracle | banking_apis | 20.1 |
| oracle | banking_apis | 21.1 |
| oracle | banking_digital_experience | 20.1 |
| oracle | banking_digital_experience | 21.1 |
| oracle | communications_element_manager | 8.2.2 |
| oracle | communications_services_gatekeeper | 7.0 |
| oracle | communications_session_report_manager | 8.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | communications_session_route_manager | 8.0.0 ≤ 𝑥 ≤ 8.2.4.0 |
| oracle | siebel_core_-_automation | 𝑥 ≤ 21.9 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-200 - Exposure of Sensitive Information to an Unauthorized ActorThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
References