CVE-2021-28163

CVSS V2 Medium 4 CVSS V3 Low 2.7
Description
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
Overview
  • CVE ID
  • CVE-2021-28163
  • Assigner
  • emo@eclipse.org
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2021-04-01T15:15:14
  • Last Modified Date
  • 2022-05-12T14:36:01
Weakness Enumerations
CWE URL
CWE-59 http://cwe.mitre.org/data/definitions/59.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:* 1 OR 9.4.32 9.4.39
cpe:2.3:a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:eclipse:jetty:10.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:eclipse:jetty:11.0.0:-:*:*:*:*:*:* 1 OR
cpe:2.3:a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:a:eclipse:jetty:11.0.0:beta3:*:*:*:*:*:* 1 OR
cpe:2.3:a:eclipse:jetty:11.0.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:apache:ignite:*:*:*:*:*:*:*:* 1 OR 2.1.1
cpe:2.3:a:apache:solr:8.8.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* 1 OR 11.0.0 11.70.1
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:* 1 OR
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:* 1 OR
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* 1 OR 9.6
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* 1 OR 9.6
cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* 1 OR 9.6
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.2.4.0
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* 1 OR 8.0.0 8.2.4.0
cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* 1 OR 21.9
CVSS Version 2
  • Version
  • 2.0
  • Vector String
  • AV:N/AC:L/Au:S/C:P/I:N/A:N
  • Access Vector
  • NETWORK
  • Access Compatibility
  • LOW
  • Authentication
  • SINGLE
  • Confidentiality Impact
  • PARTIAL
  • Integrity Impact
  • NONE
  • Availability Impact
  • NONE
  • Base Score
  • 4
  • Severity
  • MEDIUM
  • Exploitability Score
  • 8
  • Impact Score
  • 2.9
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • HIGH
  • User Interaction
  • NONE
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • LOW
  • Availability Impact
  • NONE
  • Base Score
  • 2.7
  • Base Severity
  • LOW
  • Exploitability Score
  • 1.2
  • Impact Score
  • 1.4
References
Reference URL Reference Tags
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq Exploit Third Party Advisory
https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E Mailing List Patch Third Party Advisory
https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/ Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/ Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E Mailing List Patch Third Party Advisory
https://security.netapp.com/advisory/ntap-20210611-0006/ Third Party Advisory
https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E Mailing List Third Party Advisory
https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E Mailing List Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2021-28163
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163
History
Created Old Value New Value Data Type Notes
2022-04-20 16:59:21 Added to TrackCVE
2022-12-06 00:50:01 security@eclipse.org emo@eclipse.org CVE Assigner updated
2022-12-06 00:50:01 2021-04-01T15:15Z 2021-04-01T15:15:14 CVE Published Date updated
2022-12-06 00:50:01 2022-05-12T14:36:01 CVE Modified Date updated
2022-12-06 00:50:01 Analyzed Vulnerability Status updated