jetty-webapp-9.4.3.v20170317.jar: 1 vulnerabilities (highest severity is: 7.3) #58
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Jetty web application support
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.3.v20170317/jetty-webapp-9.4.3.v20170317.jar
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - jetty-webapp-9.4.3.v20170317.jar
Jetty web application support
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.3.v20170317/jetty-webapp-9.4.3.v20170317.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Publish Date: 2020-10-23
URL: CVE-2020-27216
CVSS 4 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: N/A
- Impact Metrics:
- Confidentiality Impact: N/A
- Integrity Impact: N/A
- Availability Impact: N/A
For more information on CVSS4 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
Release Date: 2020-10-23
Fix Resolution: 9.4.33.v20201020
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: