CVE-2021-28163

Name	CVE-2021-28163
Description	In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jetty (PTS)	jessie, jessie (lts)	6.1.26-4+deb8u2	fixed
jetty8 (PTS)	jessie, jessie (lts)	8.1.16-4+deb8u1	fixed
jetty9 (PTS)	stretch (security), stretch (lts), stretch	9.2.30-0+deb9u2	fixed
	buster	9.4.16-0+deb10u1	fixed
	buster (security)	9.4.50-4+deb10u2	fixed
	bullseye	9.4.50-4+deb11u1	fixed
	bullseye (security)	9.4.50-4+deb11u2	fixed
	bookworm	9.4.50-4+deb12u2	fixed
	bookworm (security)	9.4.50-4+deb12u3	fixed
	sid, trixie	9.4.54-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
jetty	source	jessie	(not affected)
jetty	source	(unstable)	(unfixed)
jetty8	source	jessie	(not affected)
jetty8	source	(unstable)	(unfixed)
jetty9	source	stretch	(not affected)
jetty9	source	buster	(not affected)
jetty9	source	(unstable)	9.4.39-1

Notes

[buster] - jetty9 <not-affected> (Vulnerable code was introduced later)
[stretch] - jetty9 <not-affected> (Vulnerable code introduced in 9.4.32 according to upstream advisory, reproducer no-op)
https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq
https://github.com/eclipse/jetty.project/commit/37fffb1722604da1763d8a096ec5c5fb41ea0633
[jessie] - jetty <not-affected> (Vulnerable code introduced later)
[jessie] - jetty8 <not-affected> (Vulnerable code introduced later)