Vulnerability CVE-2020-27216 - CERT Civis.Net

Vulnerability Name:

CVE-2020-27216 (CCN-190474)

Assigned:

2020-10-22

Published:

2020-10-22

Updated:

2022-03-01

Summary:

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

CVSS v3 Severity:

7.0 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.1 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2020-27216

Source: CCN
Type: Bugzilla - Bug 567921
Jetty vulnerable to temporary directory hijacking

Source: CONFIRM
Type: Exploit, Patch, Vendor Advisory
https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921

Source: XF
Type: UNKNOWN
eclipse-cve202027216-priv-esc(190474)

Source: CCN
Type: jetty.project GIT Repository
Local Temp Directory Hijacking Vulnerability

Source: CONFIRM
Type: Exploit, Mitigation, Third Party Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210410 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [jira] [Updated] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210316 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210521 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [jira] [Assigned] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210423 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210326 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210330 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210219 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20201205 [jira] [Created] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20201124 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201123 [GitHub] [zookeeper] anmolnar opened a new pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210223 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210220 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210324 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210325 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210303 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201123 [GitHub] [zookeeper] ztzg commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210511 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210315 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210520 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210513 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210305 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-commits] 20210308 [iotdb] branch master updated: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20201124 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201218 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201211 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210311 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210312 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210223 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210512 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210520 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201123 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210305 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210311 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20201123 Re: Owasp test failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210303 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210402 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210525 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210327 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[zookeeper-commits] 20201124 [zookeeper] branch master updated: ZOOKEEPER-4017: Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210410 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210519 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210415 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210222 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210304 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210510 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210525 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201211 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210422 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210526 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [GitHub] [felix-dev] cziegeler merged pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210126 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210416 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210310 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201205 [jira] [Assigned] (ZOOKEEPER-4023) CLONE - Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210405 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210219 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210331 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210313 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210223 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210510 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210323 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210308 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210315 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210316 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210407 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210426 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210409 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210311 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[knox-dev] 20210601 [jira] [Created] (KNOX-2615) Upgrade to jetty-webapp.9.4.33 due to CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 commented on pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201124 [GitHub] [zookeeper] nkalmar commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [GitHub] [felix-dev] abhishekgarg18 opened a new pull request #63: FELIX-6364 Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210315 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201124 [GitHub] [zookeeper] asfgit closed pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201218 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210127 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210219 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210329 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210514 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210302 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210322 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [jira] [Created] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210517 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201205 [jira] [Updated] (ZOOKEEPER-4023) dependency-check:check failing - Jetty 9.4.34.v20201102 - CVE-2020-27218

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210312 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210322 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20201218 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[felix-dev] 20201125 [jira] [Resolved] (FELIX-6364) Security vulnerability CVE-2020-27216 ,update jetty

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210409 [jira] [Reopened] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[felix-commits] 20201125 [felix-dev] branch master updated: FELIX-6364 Security vulnerability CVE-2020-27216 , update jetty (#63)

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210303 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-reviews] 20210303 [GitHub] [iotdb] wangchao316 opened a new pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210408 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210310 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210526 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-notifications] 20210303 [jira] [Created] (IOTDB-1181) Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210302 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[iotdb-reviews] 20210308 [GitHub] [iotdb] jixuan1989 merged pull request #2768: [IOTDB-1181] Upgrade jetty jar to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list

Source: MLIST
Type: Mailing List, Patch, Third Party Advisory
[shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210402 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201124 [jira] [Resolved] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210406 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20201208 Re: [VOTE] Apache ZooKeeper release 3.5.9 candidate 0

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201123 [GitHub] [zookeeper] eolivelli commented on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-notifications] 20201124 [GitHub] [zookeeper] anmolnar edited a comment on pull request #1549: ZOOKEEPER-4017. Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210312 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210524 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210220 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210312 [jira] [Commented] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210312 [jira] [Assigned] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210409 [jira] [Comment Edited] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20201124 [jira] [Updated] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[beam-issues] 20210309 [jira] [Work logged] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20201123-0005/

Source: DEBIAN
Type: Third Party Advisory
DSA-4949

Source: CCN
Type: IBM Security Bulletin 6373292 (Content Classification)
Eclipse Jetty (Publicly disclosed vulnerability) affects Content Classifaction

Source: CCN
Type: IBM Security Bulletin 6398772 (Sterling Secure Proxy)
Vulnerability in Eclipse Jetty affects IBM Sterling Secure Proxy (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6398776 (Sterling External Authentication Server)
An Eclipse Jetty Vulnerability Affects IBM Sterling Secure External Authentication Server (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6407836 (Rational Performance Tester)
An Eclipse Jetty vulnerability affects IBM Rational Performance Tester (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6407856 (Rational Service Tester for SOA Quality)
A vulnerability in Eclipse Jetty affects IBM Rational Service Tester (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6409060 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 6409546 (MQ)
IBM MQ is vulnerable to an error within Eclipse Jetty (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6410456 (Network Performance Insight)
IBM Network Performance Insight 1.3.1 affected by Eclipse Jetty vulnerability (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6436411 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affects IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6453457 (Control Center)
Eclipse Jetty Vulnerability Affects IBM Control Center (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6466365 (DB2 for Linux, UNIX and Windows)
Multiple vulnerabilities in dependent libraries affect IBM Db2 leading to denial of service or privilege escalation.

Source: CCN
Type: IBM Security Bulletin 6466729 (Cognos Analytics)
IBM Cognos Analytics has addressed multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6467059 (Rational Synergy)
Vulnerability in Jasper, Version 8 Service Refresh 5 Fix Pack 33, used in Jetty Server 9.4.14 where Rational Synergy is deployed.

Source: CCN
Type: IBM Security Bulletin 6467063 (Rational Change)
Vulnerability in Jasper, Version 8 Service Refresh 5 Fix Pack 33, used in Jetty Server 9.4.14 where Rational Change is deployed.

Source: CCN
Type: IBM Security Bulletin 6496807 (Sterling B2B Integrator)
Eclipse Jetty Vulnerability Affects IBM Sterling B2B Integrator (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 6574045 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27216)

Source: CCN
Type: IBM Security Bulletin 7005945 (Storage Protect)
IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty

Source: N/A
Type: Patch, Third Party Advisory
N/A

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUJan2021
Oracle Critical Patch Update Advisory - January 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2021.html

Source: MISC
Type: Not Applicable, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2020-27216

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 1.0 and < 9.3.29)

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.0 and <= 9.4.32)

OR cpe:/a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:beta0:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:alpha1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:beta1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*

Configuration 2:

cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:vasa_provider:*:*:*:*:*:clustered_data_ontap:*:* (Version >= 7.2

OR cpe:/a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* (Version >= 7.2

Configuration 3:

cpe:/a:netapp:storage_replication_adapter:*:*:*:*:*:clustered_data_ontap:*:* (Version >= 7.2

AND

cpe:/a:vmware:vsphere:-:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_element_manager:*:*:*:*:*:*:*:* (Version >= 8.2.1 and <= 8.2.2.1)

OR cpe:/a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:* (Version >= 11.5.0 and <= 11.9.0)

OR cpe:/a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:* (Version < 9.2.6.0)

OR cpe:/a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* (Version <= 21.5)

Configuration 5:

cpe:/a:apache:beam:2.21.0:*:*:*:*:*:*:*

OR cpe:/a:apache:beam:2.22.0:*:*:*:*:*:*:*

OR cpe:/a:apache:beam:2.23.0:*:*:*:*:*:*:*

OR cpe:/a:apache:beam:2.24.0:*:*:*:*:*:*:*

OR cpe:/a:apache:beam:2.25.0:*:*:*:*:*:*:*

Configuration 6:

cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:1.0:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.32:20200930:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:alpha1:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:alpha1:*:*:*:*:*:*

AND

cpe:/a:ibm:content_classification:8.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:3.4.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:11.1:*:*:*:*:windows:*:*

OR cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.0.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_synergy:7.2.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:linux:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:unix:*:*

OR cpe:/a:ibm:db2:11.5:*:*:*:*:windows:*:*

OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*

OR cpe:/a:ibm:control_center:6.2.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable