GHSA-j6qj-j888-vvgq

Source

https://github.com/advisories/GHSA-j6qj-j888-vvgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-j6qj-j888-vvgq/GHSA-j6qj-j888-vvgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j6qj-j888-vvgq

Aliases

Published

2021-04-06T17:32:00Z

Modified

2024-03-15T05:17:59.760049Z

Severity

2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Directory exposure in jetty

Details

Impact

If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}: ```$ tree demo-base/ demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy

```

Workarounds

Do not use a symlink

References

Affected packages

Maven / org.eclipse.jetty:jetty-deploy

Package

Name: org.eclipse.jetty:jetty-deploy; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.4.32

Fixed

9.4.39

Affected versions

9.*

9.4.32.v20200930

9.4.33.v20201020

9.4.34.v20201102

9.4.35.v20201120

9.4.36.v20210114

9.4.37.v20210219

9.4.38.v20210224

Maven / org.eclipse.jetty:jetty-deploy

Package

Name: org.eclipse.jetty:jetty-deploy; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.0.0

Fixed

10.0.2

Affected versions

10.*

10.0.0

10.0.1

Maven / org.eclipse.jetty:jetty-deploy

Package

Name: org.eclipse.jetty:jetty-deploy; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0

Fixed

11.0.2

Affected versions

11.*

11.0.0

11.0.1