CVE-2021-28163

Improper Link Resolution Before File Access in maven/org.eclipse.jetty/jetty-util

Identifiers

CVE-2021-28163, GHSA-j6qj-j888-vvgq

Package Slug

maven/org.eclipse.jetty/jetty-util

Vulnerability

Improper Link Resolution Before File Access

Description

In Eclipse Jetty, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Affected Versions

All versions starting from 9.4.32 before 9.4.39, all versions starting from 10.0.0 up to 10.0.1, all versions starting from 11.0.0 up to 11.0.1

Solution

Upgrade to versions 9.4.39.v20210325, 10.0.2, 11.0.2 or above.

Last Modified

2021-04-10

source