In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. References: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
Created jetty tracking bugs for this issue: Affects: fedora-all [bug 1891133]
Mitigation: Jetty users should create temp folders outside the normal /tmp structure, and ensure that their permissions are set so as not to be accessible by an attacker.
External References: https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
Upstream Fix: https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2020:5168 https://access.redhat.com/errata/RHSA-2020:5168
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-27216
This issue has been addressed in the following products: Red Hat AMQ Via RHSA-2020:5365 https://access.redhat.com/errata/RHSA-2020:5365
This issue has been addressed in the following products: Red Hat AMQ LTS 7.4.6 Via RHSA-2021:0329 https://access.redhat.com/errata/RHSA-2021:0329
Statement: In OpenShift Container Platform (OCP), the Hive/Presto/Hadoop components that comprise the OCP Metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the Metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2021:2499 https://access.redhat.com/errata/RHSA-2021:2499
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2021:2517 https://access.redhat.com/errata/RHSA-2021:2517
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.5 Via RHSA-2021:2431 https://access.redhat.com/errata/RHSA-2021:2431
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140