CVE-2020-27216 (Medium) detected in jetty-webapp-9.4.11.v20180605.jar, jetty-webapp-9.4.18.v20190429.jar - autoclosed #181
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #187 |
3 similar comments
|
ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #187 |
|
ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #187 |
|
ℹ️ This issue was automatically closed by WhiteSource because it is a duplicate of an existing issue: #187 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2020-27216 - Medium Severity Vulnerability
jetty-webapp-9.4.11.v20180605.jar
Jetty web application support
Library home page: http://www.eclipse.org/jetty
Path to dependency file: foxtrot/foxtrot-common/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.11.v20180605/jetty-webapp-9.4.11.v20180605.jar
Dependency Hierarchy:
jetty-webapp-9.4.18.v20190429.jar
Jetty web application support
Library home page: http://www.eclipse.org/jetty
Path to dependency file: foxtrot/foxtrot-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in HEAD commit: ffb8a6014463ce8aac1bf6e7dc9a23fc4a2a8adc
Found in base branch: master
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Publish Date: 2020-10-23
URL: CVE-2020-27216
Base Score Metrics not available
Type: Change files
Origin: jetty/jetty.project@53e0e0e
Release Date: 2020-10-15
Fix Resolution: Replace or update the following file: WebInfConfiguration.java
The text was updated successfully, but these errors were encountered: