Vulnerability CVE-2021-28163

Vulnerability Name:

CVE-2021-28163 (CCN-199303)

Assigned:

2021-04-01

Published:

2021-04-01

Updated:

2022-05-12

Summary:

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

CVSS v3 Severity:

2.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
2.4 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

2.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
2.4 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): High User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-59

Vulnerability Consequences:

Obtain Information

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:-:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.1:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:beta3:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.32 and < 9.4.39)

Configuration 2:

cpe:/o:fedoraproject:fedora:32:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

OR cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:apache:solr:8.8.1:*:*:*:*:*:*:*

OR cpe:/a:apache:ignite:*:*:*:*:*:*:*:* (Version < 2.1.1)

Configuration 4:

cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*

OR cpe:/a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6

OR cpe:/a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6

OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* (Version >= 9.6

OR cpe:/a:netapp:cloud_manager:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*

OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0.0 and <= 11.70.1)

Configuration 5:

cpe:/a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_services_gatekeeper:7.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* (Version <= 21.9)

OR cpe:/a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0)

OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4.0)

OR cpe:/a:oracle:communications_element_manager:8.2.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_apis:20.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_apis:21.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:10.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.0:beta2:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*

OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8024	P	jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:95293	P	Security update for java-17-openjdk (Important)	2022-08-03
oval:org.opensuse.security:def:3395	P	vsftpd-3.0.2-40.11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94894	P	evince-41.3-150400.1.11 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95025	P	jetty-http-9.4.43-3.12.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6065	P	Security update for gcc48 (Moderate)	2022-06-08
oval:org.opensuse.security:def:102006	P	Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (Critical)	2022-02-16
oval:org.opensuse.security:def:101607	P	Security update for qemu (Low)	2022-01-25
oval:org.opensuse.security:def:112474	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105971	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:4485	P	Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) (Important)	2021-09-16
oval:org.opensuse.security:def:111590	P	Security update for jetty-minimal (Important)	2021-07-11
oval:org.opensuse.security:def:65574	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:4555	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:97080	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:117787	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:74712	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:108273	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:101782	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:65644	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:5745	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:75902	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:108672	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:66834	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:76222	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:67154	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:74642	P	Security update for jetty-minimal (Important)	2021-06-17

BACK