製品・ソフトウェアに関する情報

JVN脆弱性詳細

Eclipse Jetty におけるリンク解釈に関する脆弱性

Title	Eclipse Jetty におけるリンク解釈に関する脆弱性
Summary	Eclipse Jetty には、リンク解釈に関する脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 1, 2021, midnight
Registration Date	Dec. 9, 2021, 3:43 p.m.
Last Update	Dec. 9, 2021, 3:43 p.m.

CVSS3.0 : 低
Score	2.7
Vector	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

CVSS2.0 : 警告
Score	4
Vector	AV:N/AC:L/Au:S/C:P/I:N/A:N

Affected System

Apache Software Foundation

Apache Solr

Ignite

Fedora Project

Fedora

NetApp

Cloud Manager

E-Series Performance Analyzer

E-Series SANtricity OS Controller Software

E-Series SANtricity Web Services

Element plug-in for vCenter Server

SANtricity Cloud Connector

Eclipse Foundation

Jetty 10.0.0.beta2 から 10.0.1

Jetty 11.0.0.beta2 から 11.0.1

Jetty 9.4.32 から 9.4.38

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-28163	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28163
National Vulnerability Database (NVD)
2	CVE-2021-28163	https://nvd.nist.gov/vuln/detail/CVE-2021-28163

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-59	https://jvndb.jvn.jp/ja/cwe/CWE-59.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2021-35f06984d7	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/
2	FEDORA-2021-444e38face	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/
3	FEDORA-2021-fd66b2bd53	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
GitHub
4	Symlink Directory Exposes Webapp Directory Contents	https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
NetApp Advisory
5	NTAP-20210611-0006	https://security.netapp.com/advisory/ntap-20210611-0006/
Pony Mail
6	[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr (0wydzldg4f3vdpcp913hvo2505f6j6yg)	https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E
7	[jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr (thread/b2ztyhx3dkx4tshczngs471nw37sr3ss)	https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E

Change Log

No	Changed Details	Date of change
1	[2021年12月09日] 掲載	Dec. 9, 2021, 3:43 p.m.

NVD Vulnerability Information

CVE-2021-28163

Summary	In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
Publication Date	April 2, 2021, 12:15 a.m.
Registration Date	April 2, 2021, 10:03 a.m.
Last Update	Nov. 21, 2024, 2:59 p.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:eclipse:jetty:11.0.0:beta2::::::
cpe:2.3:a:eclipse:jetty:10.0.0:beta2::::::
cpe:2.3:a:eclipse:jetty:11.0.0:-::::::
cpe:2.3:a:eclipse:jetty:11.0.1:::::::*
cpe:2.3:a:eclipse:jetty:11.0.0:beta3::::::
cpe:2.3:a:eclipse:jetty:10.0.1:::::::*
cpe:2.3:a:eclipse:jetty::::::::	9.4.32			9.4.39

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:32:::::::*
cpe:2.3:o:fedoraproject:fedora:33:::::::*
cpe:2.3:o:fedoraproject:fedora:34:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:apache:solr:8.8.1:::::::*
cpe:2.3:a:apache:ignite::::::::				2.1.1

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:santricity_cloud_connector:-:::::::*
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:a:netapp:e-series_performance_analyzer:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
cpe:2.3:a:netapp:virtual_storage_console::::::vmware_vsphere::*	9.6
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::vmware_vsphere::*	9.6
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::	9.6
cpe:2.3:a:netapp:cloud_manager:-:::::::*
cpe:2.3:a:netapp:snapcenter_plug-in:-:::::vmware_vsphere::
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::	11.0.0	11.70.1

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:oracle:banking_digital_experience:20.1:::::::*
cpe:2.3:a:oracle:communications_services_gatekeeper:7.0:::::::*
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:::::::*
cpe:2.3:a:oracle:siebel_core_-_automation::::::::		21.9
cpe:2.3:a:oracle:communications_session_report_manager::::::::	8.0.0	8.2.4.0
cpe:2.3:a:oracle:communications_session_route_manager::::::::	8.0.0	8.2.4.0
cpe:2.3:a:oracle:communications_element_manager:8.2.2:::::::*
cpe:2.3:a:oracle:banking_digital_experience:21.1:::::::*
cpe:2.3:a:oracle:banking_apis:20.1:::::::*
cpe:2.3:a:oracle:banking_apis:21.1:::::::*

Related information, measures and tools

No	URL	タグ
1	https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq	Exploit Third Party Advisory
2	https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq	Exploit Third Party Advisory
3	https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E
4	https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E
5	https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E
6	https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E
7	https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E
8	https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E
9	https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E
10	https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E
11	https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E
12	https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E
13	https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E
14	https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E
15	https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
16	https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
17	https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E
18	https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E
19	https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E
20	https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E
21	https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E
22	https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E
23	https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
24	https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
25	https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E
26	https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E
27	https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E
28	https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E
29	https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
30	https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
31	https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E
32	https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E
33	https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E
34	https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E
35	https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
36	https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
37	https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
38	https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E
39	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/
40	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/
41	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
42	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/
43	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/
44	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/
45	https://security.netapp.com/advisory/ntap-20210611-0006/	Third Party Advisory
46	https://security.netapp.com/advisory/ntap-20210611-0006/	Third Party Advisory
47	https://www.oracle.com/security-alerts/cpuapr2022.html	Not Applicable Third Party Advisory
48	https://www.oracle.com/security-alerts/cpuapr2022.html	Not Applicable Third Party Advisory
49	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
50	https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory
51	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory
52	https://www.oracle.com/security-alerts/cpuoct2021.html	Patch Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-59	リンク解釈の問題	https://cwe.mitre.org/data/definitions/59.html

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:netapp:santricity_cloud_connector:-:::::::*
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:a:netapp:e-series_performance_analyzer:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_web_services:-:::::web_services_proxy::
cpe:2.3:a:netapp:virtual_storage_console::::::vmware_vsphere::*	9.6
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap::::::vmware_vsphere::*	9.6
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap::::::::	9.6
cpe:2.3:a:netapp:cloud_manager:-:::::::*
cpe:2.3:a:netapp:snapcenter_plug-in:-:::::vmware_vsphere::
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:::::::*
cpe:2.3:a:netapp:e-series_santricity_os_controller::::::::	11.0.0	11.70.1