Directory Traversal Vulnerability in Eclipse Jetty by Eclipse
CVE-2021-28163

2.7LOW

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Jetty
Vendor: CVE Published:; 1 April 2021

What is CVE-2021-28163?

A vulnerability in Eclipse Jetty versions from 9.4.32 to 9.4.38, as well as 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, arises when the webapps directory is a symlink. This configuration can lead to the unintentional deployment of the contents of the symlinked directory as a static web application, potentially exposing sensitive files or applications to unauthorized access.

Affected Version(s)

Eclipse Jetty 9.4.32

Eclipse Jetty <= 9.4.38

Eclipse Jetty 10.0.0.beta2

References

https://github.com/eclipse/jetty.project/security/advisor...

x_refsource_CONFIRM

https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4...

mailing-listx_refsource_MLIST

https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 1, 2021
Vulnerability Reserved
Mar 12, 2021

The Eclipse Foundation

What is CVE-2021-28163?

Affected Version(s)

References

CVSS V3.1

Timeline