CWE
59 200
Advisory Published
CVE Published
Updated

CVE-2021-28163: Infoleak

First published: Thu Apr 01 2021(Updated: )

Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system.

Credit: emo@eclipse.org

Affected SoftwareAffected VersionHow to fix
redhat/rh-eclipse-jetty<0:9.4.40-1.1.el7_9
0:9.4.40-1.1.el7_9
redhat/jenkins<0:2.277.3.1620393611-1.el8
0:2.277.3.1620393611-1.el8
redhat/runc<0:1.0.0-95.rhaos4.8.gitcd80260.el8
0:1.0.0-95.rhaos4.8.gitcd80260.el8
redhat/jetty<9.4.39
9.4.39
redhat/jetty<10.0.2
10.0.2
redhat/jetty<11.0.2
11.0.2
Mortbay Jetty>=9.4.32<9.4.39
Mortbay Jetty=10.0.0-beta2
Mortbay Jetty=10.0.1
Mortbay Jetty=11.0.0
Mortbay Jetty=11.0.0-beta2
Mortbay Jetty=11.0.0-beta3
Mortbay Jetty=11.0.1
Red Hat Fedora=32
Red Hat Fedora=33
Red Hat Fedora=34
Apache Ignite<2.1.1
Apache Solr=8.8.1
Cloud Manager
NetApp E-Series Performance Analyzer
NetApp E-Series SANtricity OS Controller>=11.0.0<=11.70.1
NetApp E-Series SANtricity Web Services
NetApp Element Plug-in
NetApp SANtricity Cloud Connector
NetApp SnapCenter
Netapp Snapcenter Plug-in
NetApp Storage Replication Adapter for Clustered Data ONTAP for VMware vSphere>=9.6
NetApp VASA Provider>=9.6
NetApp Virtual Storage Console for VMware vSphere>=9.6
Oracle Agile Product Lifecycle Management=21.0.2
Oracle Banking APIs=20.1
Oracle Banking APIs=21.1
Oracle Banking Digital Experience=20.1
Oracle Banking Digital Experience=21.1
Oracle Communications Element Manager=8.2.2
GNU Gatekeeper=7.0
Oracle Communications Session Report Manager>=8.0.0<=8.2.4.0
Oracle Communications Session Route Manager>=8.0.0<=8.2.4.0
Oracle Siebel Core - Automation<=21.9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Reference Links

Frequently Asked Questions

  • What is CVE-2021-28163?

    CVE-2021-28163 is a vulnerability in Eclipse Jetty that allows a remote authenticated attacker to obtain sensitive information.

  • How does CVE-2021-28163 work?

    CVE-2021-28163 occurs when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker can exploit this vulnerability to obtain webapp directory information.

  • What is the severity of CVE-2021-28163?

    The severity of CVE-2021-28163 is medium, with a severity value of 2.7.

  • Which versions of Jetty are affected by CVE-2021-28163?

    Jetty versions 9.4.32 to 9.4.39, 10.0.0-beta2 to 10.0.2, and 11.0.0-beta2 to 11.0.2 are affected by CVE-2021-28163.

  • How can I fix CVE-2021-28163?

    To fix CVE-2021-28163, it is recommended to update Jetty to version 9.4.39, 10.0.2, or 11.0.2.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203