https://bugzilla.redhat.com/show_bug.cgi?id=1945710
Bug ID: 1945710
Summary: CVE-2021-28163 jetty: Symlink directory exposes webapp
directory contents
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to
11.0.1, if a user uses a webapps directory that is a symlink, the contents of
the webapps directory is deployed as a static webapp, inadvertently serving the
webapps themselves and anything else that might be in that directory.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j8...
--
You are receiving this mail because:
You are on the CC list for the bug.