{ "threat_severity" : "Moderate", "public_date" : "2021-04-01T00:00:00Z", "bugzilla" : { "description" : "jetty: Symlink directory exposes webapp directory contents", "id" : "1945710", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1945710" }, "cvss3" : { "cvss3_base_score" : "2.7", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-200", "details" : [ "In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.", "If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download. The highest threat from this vulnerability is to data confidentiality." ], "statement" : "In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty.\nSince the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix.\nThis may be fixed in the future.\n[1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.\nRed Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.", "affected_release" : [ { "product_name" : "Red Hat AMQ 7.8.2", "release_date" : "2021-07-12T00:00:00Z", "advisory" : "RHSA-2021:2689", "cpe" : "cpe:/a:redhat:amq_broker:7", "package" : "jetty-server" }, { "product_name" : "Red Hat AMQ 7.9.0", "release_date" : "2021-09-30T00:00:00Z", "advisory" : "RHSA-2021:3700", "cpe" : "cpe:/a:redhat:amq_broker:7" }, { "product_name" : "Red Hat AMQ Streams 1.6.4", "release_date" : "2021-05-13T00:00:00Z", "advisory" : "RHSA-2021:1560", "cpe" : "cpe:/a:redhat:amq_streams:1" }, { "product_name" : "Red Hat AMQ Streams 1.8.0", "release_date" : "2021-08-19T00:00:00Z", "advisory" : "RHSA-2021:3225", "cpe" : "cpe:/a:redhat:amq_streams:1", "package" : "jetty-server" }, { "product_name" : "Red Hat Developer Tools", "release_date" : "2021-05-06T00:00:00Z", "advisory" : "RHSA-2021:1509", "cpe" : "cpe:/a:redhat:devtools:2021", "package" : "rh-eclipse-jetty-0:9.4.40-1.1.el7_9" }, { "product_name" : "Red Hat Fuse 7.10", "release_date" : "2021-12-14T00:00:00Z", "advisory" : "RHSA-2021:5134", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "jetty" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "release_date" : "2021-11-23T00:00:00Z", "advisory" : "RHSA-2021:4767", "cpe" : "cpe:/a:redhat:camel_quarkus:2.2" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-05-19T00:00:00Z", "advisory" : "RHSA-2021:1551", "cpe" : "cpe:/a:redhat:openshift:4.7::el7", "package" : "jenkins-0:2.277.3.1620393611-1.el8" }, { "product_name" : "Red Hat OpenShift Container Platform 4.7", "release_date" : "2021-05-19T00:00:00Z", "advisory" : "RHSA-2021:1551", "cpe" : "cpe:/a:redhat:openshift:4.7::el7", "package" : "runc-0:1.0.0-95.rhaos4.8.gitcd80260.el7" }, { "product_name" : "RHAF Camel-K 1.8", "release_date" : "2022-09-09T00:00:00Z", "advisory" : "RHSA-2022:6407", "cpe" : "cpe:/a:redhat:integration:1", "package" : "jetty", "impact" : "low" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "jetty", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "eclipse:rhel8/jetty", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Affected", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:camel_quarkus:2", "impact" : "low" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Affected", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss A-MQ 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_amq:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jetty", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "jetty-server", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Affected", "package_name" : "jenkins", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hive", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-presto", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-28163\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-28163\nhttps://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq" ], "name" : "CVE-2021-28163", "csaw" : false }