CVE-2021-28163: Infoleak
First published: Thu Apr 01 2021(Updated: )
Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain webapp directory contents information, and use this information to launch further attacks against the affected system.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-eclipse-jetty | <0:9.4.40-1.1.el7_9 | 0:9.4.40-1.1.el7_9 |
| redhat/jenkins | <0:2.277.3.1620393611-1.el8 | 0:2.277.3.1620393611-1.el8 |
| redhat/runc | <0:1.0.0-95.rhaos4.8.gitcd80260.el8 | 0:1.0.0-95.rhaos4.8.gitcd80260.el8 |
| redhat/jetty | <9.4.39 | 9.4.39 |
| redhat/jetty | <10.0.2 | 10.0.2 |
| redhat/jetty | <11.0.2 | 11.0.2 |
| Eclipse Jetty | >=9.4.32<9.4.39 | |
| Eclipse Jetty | =10.0.0-beta2 | |
| Eclipse Jetty | =10.0.1 | |
| Eclipse Jetty | =11.0.0 | |
| Eclipse Jetty | =11.0.0-beta2 | |
| Eclipse Jetty | =11.0.0-beta3 | |
| Eclipse Jetty | =11.0.1 | |
| Fedoraproject Fedora | =32 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Apache Ignite | <2.1.1 | |
| Apache Solr | =8.8.1 | |
| NetApp Cloud Manager | ||
| Netapp E-series Performance Analyzer | ||
| NetApp E-Series SANtricity OS Controller | >=11.0.0<=11.70.1 | |
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| Netapp Element Plug-in For Vcenter Server | ||
| Netapp Santricity Cloud Connector | ||
| Netapp Snapcenter | ||
| Netapp Snapcenter Plug-in Vmware Vsphere | ||
| Netapp Storage Replication Adapter For Clustered Data Ontap Vmware Vsphere | >=9.6 | |
| Netapp Vasa Provider For Clustered Data Ontap | >=9.6 | |
| Netapp Virtual Storage Console Vmware Vsphere | >=9.6 | |
| Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
| Oracle Banking Apis | =20.1 | |
| Oracle Banking Apis | =21.1 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Communications Element Manager | =8.2.2 | |
| Oracle Communications Services Gatekeeper | =7.0 | |
| Oracle Communications Session Report Manager | >=8.0.0<=8.2.4.0 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.4.0 | |
| Oracle Siebel Core - Automation | <=21.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/199303
- https://www.ibm.com/support/pages/node/6466729 (Advisory)
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
- https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E
- https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/
- https://security.netapp.com/advisory/ntap-20210611-0006/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1945711
- https://github.com/eclipse/jetty.project/commit/37fffb1722604da1763d8a096ec5c5fb41ea0633
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated
- https://access.redhat.com/errata/RHSA-2021:1509
- https://access.redhat.com/security/cve/cve-2021-28163
- https://access.redhat.com/errata/RHSA-2021:1560
- https://access.redhat.com/errata/RHSA-2021:1551
- https://access.redhat.com/errata/RHSA-2021:2689
- https://access.redhat.com/errata/RHSA-2021:3225
- https://access.redhat.com/errata/RHSA-2021:3700
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2022:6407
- https://bugzilla.redhat.com/show_bug.cgi?id=1945710
- https://www.cve.org/CVERecord?id=CVE-2021-28163 https://nvd.nist.gov/vuln/detail/CVE-2021-28163 https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-28163?
CVE-2021-28163 is a vulnerability in Eclipse Jetty that allows a remote authenticated attacker to obtain sensitive information.
How does CVE-2021-28163 work?
CVE-2021-28163 occurs when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sending a specially-crafted request, an attacker can exploit this vulnerability to obtain webapp directory information.
What is the severity of CVE-2021-28163?
The severity of CVE-2021-28163 is medium, with a severity value of 2.7.
Which versions of Jetty are affected by CVE-2021-28163?
Jetty versions 9.4.32 to 9.4.39, 10.0.0-beta2 to 10.0.2, and 11.0.0-beta2 to 11.0.2 are affected by CVE-2021-28163.
How can I fix CVE-2021-28163?
To fix CVE-2021-28163, it is recommended to update Jetty to version 9.4.39, 10.0.2, or 11.0.2.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-28163
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.4.32
- version/eclipse jetty/10.0.0-beta2
- version/eclipse jetty/10.0.1
- version/eclipse jetty/11.0.0
- version/eclipse jetty/11.0.0-beta2
- version/eclipse jetty/11.0.0-beta3
- version/eclipse jetty/11.0.1
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/32
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- vendor/apache
- canonical/apache ignite
- canonical/apache solr
- version/apache solr/8.8.1
- vendor/netapp
- canonical/netapp cloud manager
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp element plug-in for vcenter server
- canonical/netapp santricity cloud connector
- canonical/netapp snapcenter
- canonical/netapp snapcenter plug-in vmware vsphere
- canonical/netapp storage replication adapter for clustered data ontap vmware vsphere
- version/netapp storage replication adapter for clustered data ontap vmware vsphere/9.6
- canonical/netapp vasa provider for clustered data ontap
- version/netapp vasa provider for clustered data ontap/9.6
- canonical/netapp virtual storage console vmware vsphere
- version/netapp virtual storage console vmware vsphere/9.6
- vendor/oracle
- canonical/oracle autovue for agile product lifecycle management
- version/oracle autovue for agile product lifecycle management/21.0.2
- canonical/oracle banking apis
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle communications element manager
- version/oracle communications element manager/8.2.2
- canonical/oracle communications services gatekeeper
- version/oracle communications services gatekeeper/7.0
- canonical/oracle communications session report manager
- version/oracle communications session report manager/8.0.0
- version/oracle communications session report manager/8.2.4.0
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4.0
- canonical/oracle siebel core - automation
- version/oracle siebel core - automation/21.9