CVE-2021-28163

Exploit

EPSS 0.21%
Published 01.04.2021 15:15:14
Last modified 21.11.2024 05:59:12
Source emo@eclipse.org
Teams watchlist Login
Open Login

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Affected products Warnungen 0 Metrics 4 CWE 2 References 29

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version >= 9.4.32 < 9.4.39

Eclipse ≫ Jetty Version10.0.0 Updatebeta2

Eclipse ≫ Jetty Version10.0.1

Eclipse ≫ Jetty Version11.0.0 Update-

Eclipse ≫ Jetty Version11.0.0 Updatebeta2

Eclipse ≫ Jetty Version11.0.0 Updatebeta3

Eclipse ≫ Jetty Version11.0.1

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Fedoraproject ≫ Fedora Version34

Apache ≫ Ignite Version < 2.1.1

Apache ≫ Solr Version8.8.1

Netapp ≫ Cloud Manager Version-

Netapp ≫ E-series Performance Analyzer Version-

Netapp ≫ E-series Santricity Os Controller Version >= 11.0.0 <= 11.70.1

Netapp ≫ E-series Santricity Web Services Version- SwPlatformweb_services_proxy

Netapp ≫ Element Plug-in For Vcenter Server Version-

Netapp ≫ Santricity Cloud Connector Version-

Netapp ≫ Snapcenter Version-

Netapp ≫ Snapcenter Plug-in Version- SwPlatformvmware_vsphere

Netapp ≫ Storage Replication Adapter For Clustered Data Ontap SwPlatformvmware_vsphere Version >= 9.6

Netapp ≫ Vasa Provider For Clustered Data Ontap Version >= 9.6

Netapp ≫ Virtual Storage Console SwPlatformvmware_vsphere Version >= 9.6

Oracle ≫ Autovue For Agile Product Lifecycle Management Version21.0.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Communications Element Manager Version8.2.2

Oracle ≫ Communications Services Gatekeeper Version7.0

Oracle ≫ Communications Session Report Manager Version >= 8.0.0 <= 8.2.4.0

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4.0

Oracle ≫ Siebel Core - Automation Version <= 21.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.436

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	4	8	2.9	AV:N/AC:L/Au:S/C:P/I:N/A:N
emo@eclipse.org	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

Not Applicable

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E