2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-28163

GHSA ID

GHSA-j6qj-j888-vvgq

EPSS Score

0.40334%

CWE

CWE-59

Published

4/6/2021

Updated

2/1/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-28163

CVE-2021-28163:
Directory exposure in jetty

Impact

If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}:

demo-base/
├── etc
├── lib
├── resources
├── start.d
├── deploy
│   └── async-rest.war
└── webapps -> deploy

Workarounds

Do not use a symlink

(GitHub Advisory)

2.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-28163

GHSA ID

GHSA-j6qj-j888-vvgq

EPSS Score

0.40334%

CWE

CWE-59

Published

4/6/2021

Updated

2/1/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.eclipse.jetty:jetty-deploy	maven	>= 9.4.32, < 9.4.39	9.4.39
org.eclipse.jetty:jetty-deploy	maven	>= 10.0.0, < 10.0.2	10.0.2
org.eclipse.jetty:jetty-deploy	maven	>= 11.0.0, < 11.0.2	11.0.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

### Imp**t I* t** `${j*tty.**s*}` *ir**tory or t** `${j*tty.**s*}/w***pps` *ir**tory is * symlink (so*t link in Linux), t** *ont*nts o* t** `${j*tty.**s*}/w***pps` *ir**tory m*y ** **ploy** *s * st*ti* w** *ppli**tion, *xposin* t** *ont*nt o* t** *ir

Reasoning

No *n*lysis *v*il**l*

2.7

Basic Information

Concerned about an active attack path?

CVE-2021-28163: Directory exposure in jetty

Impact

Workarounds

2.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-28163:
Directory exposure in jetty

Vulnerability Intelligence
Miggo AI