OESA-2021-1052

See a problem?
Please try reporting it to the source first.

Source

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1052

Import Source

https://repo.openeuler.org/security/data/osv/OESA-2021-1052.json

JSON Data

https://api.test.osv.dev/v1/vulns/OESA-2021-1052

Upstream

CVE-2020-27216

Published

2021-03-05T11:02:38Z

Modified

2025-08-12T05:06:04.562186Z

Summary

jetty security update

Details

Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms.

Security Fix(es):

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.(CVE-2020-27216)

Database specific

{
    "severity": "High"
}

References

Affected packages

openEuler:20.03-LTS-SP1 / jetty

Package

Name: jetty
Purl: pkg:rpm/openEuler/jetty&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.4.15-5.oe1

Ecosystem specific

{
    "src": [
        "jetty-9.4.15-5.oe1.src.rpm"
    ],
    "noarch": [
        "jetty-maven-plugin-9.4.15-5.oe1.noarch.rpm",
        "jetty-io-9.4.15-5.oe1.noarch.rpm",
        "jetty-webapp-9.4.15-5.oe1.noarch.rpm",
        "jetty-ant-9.4.15-5.oe1.noarch.rpm",
        "jetty-websocket-server-9.4.15-5.oe1.noarch.rpm",
        "jetty-infinispan-9.4.15-5.oe1.noarch.rpm",
        "jetty-continuation-9.4.15-5.oe1.noarch.rpm",
        "jetty-jaas-9.4.15-5.oe1.noarch.rpm",
        "jetty-jspc-maven-plugin-9.4.15-5.oe1.noarch.rpm",
        "jetty-fcgi-server-9.4.15-5.oe1.noarch.rpm",
        "jetty-quickstart-9.4.15-5.oe1.noarch.rpm",
        "jetty-http2-client-9.4.15-5.oe1.noarch.rpm",
        "jetty-annotations-9.4.15-5.oe1.noarch.rpm",
        "jetty-osgi-boot-warurl-9.4.15-5.oe1.noarch.rpm",
        "jetty-cdi-9.4.15-5.oe1.noarch.rpm",
        "jetty-nosql-9.4.15-5.oe1.noarch.rpm",
        "jetty-osgi-alpn-9.4.15-5.oe1.noarch.rpm",
        "jetty-rewrite-9.4.15-5.oe1.noarch.rpm",
        "jetty-xml-9.4.15-5.oe1.noarch.rpm",
        "jetty-http-spi-9.4.15-5.oe1.noarch.rpm",
        "jetty-httpservice-9.4.15-5.oe1.noarch.rpm",
        "jetty-jndi-9.4.15-5.oe1.noarch.rpm",
        "jetty-start-9.4.15-5.oe1.noarch.rpm",
        "jetty-websocket-servlet-9.4.15-5.oe1.noarch.rpm",
        "jetty-deploy-9.4.15-5.oe1.noarch.rpm",
        "jetty-project-9.4.15-5.oe1.noarch.rpm",
        "jetty-websocket-client-9.4.15-5.oe1.noarch.rpm",
        "jetty-osgi-boot-9.4.15-5.oe1.noarch.rpm",
        "jetty-javax-websocket-client-impl-9.4.15-5.oe1.noarch.rpm",
        "jetty-9.4.15-5.oe1.noarch.rpm",
        "jetty-proxy-9.4.15-5.oe1.noarch.rpm",
        "jetty-util-9.4.15-5.oe1.noarch.rpm",
        "jetty-alpn-server-9.4.15-5.oe1.noarch.rpm",
        "jetty-http-9.4.15-5.oe1.noarch.rpm",
        "jetty-spring-9.4.15-5.oe1.noarch.rpm",
        "jetty-util-ajax-9.4.15-5.oe1.noarch.rpm",
        "jetty-fcgi-client-9.4.15-5.oe1.noarch.rpm",
        "jetty-javadoc-9.4.15-5.oe1.noarch.rpm",
        "jetty-unixsocket-9.4.15-5.oe1.noarch.rpm",
        "jetty-jmx-9.4.15-5.oe1.noarch.rpm",
        "jetty-http2-hpack-9.4.15-5.oe1.noarch.rpm",
        "jetty-jsp-9.4.15-5.oe1.noarch.rpm",
        "jetty-jstl-9.4.15-5.oe1.noarch.rpm",
        "jetty-server-9.4.15-5.oe1.noarch.rpm",
        "jetty-plus-9.4.15-5.oe1.noarch.rpm",
        "jetty-javax-websocket-server-impl-9.4.15-5.oe1.noarch.rpm",
        "jetty-servlet-9.4.15-5.oe1.noarch.rpm",
        "jetty-client-9.4.15-5.oe1.noarch.rpm",
        "jetty-servlets-9.4.15-5.oe1.noarch.rpm",
        "jetty-osgi-boot-jsp-9.4.15-5.oe1.noarch.rpm",
        "jetty-websocket-common-9.4.15-5.oe1.noarch.rpm",
        "jetty-http2-http-client-transport-9.4.15-5.oe1.noarch.rpm",
        "jetty-security-9.4.15-5.oe1.noarch.rpm",
        "jetty-http2-common-9.4.15-5.oe1.noarch.rpm",
        "jetty-websocket-api-9.4.15-5.oe1.noarch.rpm",
        "jetty-jaspi-9.4.15-5.oe1.noarch.rpm",
        "jetty-alpn-client-9.4.15-5.oe1.noarch.rpm",
        "jetty-http2-server-9.4.15-5.oe1.noarch.rpm"
    ]
}