Bug 1945710 (CVE-2021-28163) - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents
Alias: CVE-2021-28163
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1952063 1952064 1945711 1947810 1947811
Blocks: 1945716
TreeView+ depends on / blocked
Reported: 2021-04-01 17:42 UTC by Pedro Sampaio
Modified: 2021-05-19 15:01 UTC (History)
44 users (show)

Fixed In Version: jetty 9.4.39, jetty 10.0.2, jetty 11.0.2
Doc Type: If docs needed, set a value
Doc Text:
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Last Closed: 2021-05-06 20:33:58 UTC

Attachments (Terms of Use)

Description Pedro Sampaio 2021-04-01 17:42:53 UTC
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.



Comment 1 Pedro Sampaio 2021-04-01 17:43:26 UTC
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 1945711]

Comment 3 Przemyslaw Roguski 2021-04-08 11:10:25 UTC
External References:


Comment 11 Jonathan Christison 2021-04-19 10:50:22 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 12 Jonathan Christison 2021-04-19 16:11:24 UTC
Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.

Comment 16 Todd Cullum 2021-04-27 20:00:57 UTC

In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.
Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.
This may be fixed in the future.

[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated

Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.

Red Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.

Comment 17 errata-xmlrpc 2021-05-05 13:26:52 UTC
This issue has been addressed in the following products:

  Red Hat Developer Tools

Via RHSA-2021:1509 https://access.redhat.com/errata/RHSA-2021:1509

Comment 18 Product Security DevOps Team 2021-05-06 20:33:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 19 errata-xmlrpc 2021-05-13 15:16:10 UTC
This issue has been addressed in the following products:

  Red Hat AMQ Streams 1.6.4

Via RHSA-2021:1560 https://access.redhat.com/errata/RHSA-2021:1560

Comment 20 errata-xmlrpc 2021-05-19 15:01:01 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1551 https://access.redhat.com/errata/RHSA-2021:1551

Note You need to log in before you can comment on or make changes to this bug.