Description
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
Related CPE's
a
eclipse
jetty
o
fedoraproject
fedora
a
oracle
banking_apis
a
oracle
banking_digital_experience
References
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
https://security.netapp.com/advisory/ntap-20210611-0006/
https://www.oracle.com/security-alerts/cpuapr2022.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
2.7 · Low
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2021-04-01T15:15:14.080
4 years agoLast modified
2023-11-07T03:32:04.707
1 year ago