GHSA-j6qj-j888-vvgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-j6qj-j888-vvgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-j6qj-j888-vvgq/GHSA-j6qj-j888-vvgq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j6qj-j888-vvgq
Aliases
Published
2021-04-06T17:32:00Z
Modified
2024-03-15T05:16:32.245889Z
Severity
  • 2.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Directory exposure in jetty
Details

Impact

If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following ${jetty.base}: ```$ tree demo-base/ demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │   └── async-rest.war └── webapps -> deploy

```

Workarounds

Do not use a symlink

References

Affected packages

Maven / org.eclipse.jetty:jetty-deploy

Package

Name
org.eclipse.jetty:jetty-deploy
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.4.32
Fixed
9.4.39

Affected versions

9.*

9.4.32.v20200930
9.4.33.v20201020
9.4.34.v20201102
9.4.35.v20201120
9.4.36.v20210114
9.4.37.v20210219
9.4.38.v20210224

Maven / org.eclipse.jetty:jetty-deploy

Package

Name
org.eclipse.jetty:jetty-deploy
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.2

Affected versions

10.*

10.0.0
10.0.1

Maven / org.eclipse.jetty:jetty-deploy

Package

Name
org.eclipse.jetty:jetty-deploy
View open source insights on deps.dev
Purl
pkg:maven/org.eclipse.jetty/jetty-deploy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
11.0.0
Fixed
11.0.2

Affected versions

11.*

11.0.0
11.0.1