Enabled default configuration In org.eclipse.jetty:jetty-client
Description
Directory exposure in jetty
Impact
If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink (soft link in Linux), the contents of the ${jetty.base}/webapps directory may be deployed as a static web application, exposing the content of the directory for download.
For example, the problem manifests in the following ${jetty.base}:
demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy...
Workarounds
Do not use a symlink
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 9.4.39.v20210325, 10.0.2, 11.0.2 | ||
maven | 9.4.39.v20210325, 10.0.2, 11.0.2 | ||
maven | 9.4.39.v20210325, 10.0.2, 11.0.2 | ||
 debian 14 | 9.4.39-1 | ||
maven | 9.4.39.v20210325, 10.0.2, 11.0.2 | ||
maven | 9.4.39, 10.0.2, 11.0.2 | ||
maven | 2.2.0 | ||
maven | 9.4.39.v20210325, 10.0.2, 11.0.2 | ||
debian 12 | 9.4.39-1 | ||
debian 11 | 9.4.39-1 |
1-10 of 14
10
Aliases
1. 2. 3. 4. 5. 6. 7.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. 26.