jiachao2130/cvrf2cusa
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d1132d88d2
cvrf2cusa/cvrf/2021/cvrf-openEuler-SA-2021-1052.xml
Jia Chao 0b34274085 git mv 
Signed-off-by: Jia Chao <jiac13@chinaunicom.cn>
2024-07-25 09:57:37 +08:00

152 lines
15 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
<DocumentTitle xml:lang="en">An update for jetty is now available for openEuler-20.03-LTS-SP1</DocumentTitle>
<DocumentType>Security Advisory</DocumentType>
<DocumentPublisher Type="Vendor">
<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
<IssuingAuthority>openEuler security committee</IssuingAuthority>
</DocumentPublisher>
<DocumentTracking>
<Identification>
<ID>openEuler-SA-2021-1052</ID>
</Identification>
<Status>Final</Status>
<Version>1.0</Version>
<RevisionHistory>
<Revision>
<Number>1.0</Number>
<Date>2021-03-05</Date>
<Description>Initial</Description>
</Revision>
</RevisionHistory>
<InitialReleaseDate>2021-03-05</InitialReleaseDate>
<CurrentReleaseDate>2021-03-05</CurrentReleaseDate>
<Generator>
<Engine>openEuler SA Tool V1.0</Engine>
<Date>2021-03-05</Date>
</Generator>
</DocumentTracking>
<DocumentNotes>
<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">jetty security update</Note>
<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for jetty is now available for openEuler-20.03-LTS-SP1.</Note>
<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully featured web server for static and dynamic content. Unlike separate server/container solutions, this means that your web server and web application run in the same process, without interconnection overheads and complications. Furthermore, as a pure java component, Jetty can be simply included in your application for demonstration, distribution or deployment. Jetty is available on all Java supported platforms.
Security Fix(es):
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.(CVE-2020-27216)</Note>
<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for jetty is now available for openEuler-20.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">jetty</Note>
</DocumentNotes>
<DocumentReferences>
<Reference Type="Self">
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1052</URL>
</Reference>
<Reference Type="openEuler CVE">
<URL>https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-27216</URL>
</Reference>
<Reference Type="Other">
<URL>https://nvd.nist.gov/vuln/detail/CVE-2020-27216</URL>
</Reference>
</DocumentReferences>
<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
<Branch Type="Product Name" Name="openEuler">
<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="noarch">
<FullProductName ProductID="jetty-maven-plugin-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-maven-plugin-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-io-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-io-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-webapp-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-webapp-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-ant-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-ant-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-websocket-server-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-websocket-server-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-infinispan-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-infinispan-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-continuation-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-continuation-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jaas-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jaas-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jspc-maven-plugin-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jspc-maven-plugin-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-fcgi-server-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-fcgi-server-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-quickstart-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-quickstart-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http2-client-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http2-client-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-annotations-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-annotations-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-osgi-boot-warurl-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-osgi-boot-warurl-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-cdi-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-cdi-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-nosql-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-nosql-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-osgi-alpn-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-osgi-alpn-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-rewrite-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-rewrite-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-xml-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-xml-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http-spi-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http-spi-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-httpservice-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-httpservice-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jndi-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jndi-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-start-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-start-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-websocket-servlet-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-websocket-servlet-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-deploy-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-deploy-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-project-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-project-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-websocket-client-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-websocket-client-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-osgi-boot-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-osgi-boot-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-javax-websocket-client-impl-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-javax-websocket-client-impl-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-proxy-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-proxy-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-util-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-util-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-alpn-server-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-alpn-server-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-spring-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-spring-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-util-ajax-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-util-ajax-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-fcgi-client-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-fcgi-client-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-javadoc-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-javadoc-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-unixsocket-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-unixsocket-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jmx-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jmx-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http2-hpack-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http2-hpack-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jsp-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jsp-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jstl-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jstl-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-server-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-server-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-plus-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-plus-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-javax-websocket-server-impl-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-javax-websocket-server-impl-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-servlet-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-servlet-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-client-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-client-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-servlets-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-servlets-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-osgi-boot-jsp-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-osgi-boot-jsp-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-websocket-common-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-websocket-common-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http2-http-client-transport-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http2-http-client-transport-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-security-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-security-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http2-common-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http2-common-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-websocket-api-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-websocket-api-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-jaspi-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-jaspi-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-alpn-client-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-alpn-client-9.4.15-5.oe1.noarch.rpm</FullProductName>
<FullProductName ProductID="jetty-http2-server-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-http2-server-9.4.15-5.oe1.noarch.rpm</FullProductName>
</Branch>
<Branch Type="Package Arch" Name="src">
<FullProductName ProductID="jetty-9.4.15-5" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">jetty-9.4.15-5.oe1.src.rpm</FullProductName>
</Branch>
</ProductTree>
<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
<Notes>
<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.</Note>
</Notes>
<ReleaseDate>2021-03-05</ReleaseDate>
<CVE>CVE-2020-27216</CVE>
<ProductStatuses>
<Status Type="Fixed">
<ProductID>openEuler-20.03-LTS-SP1</ProductID>
</Status>
</ProductStatuses>
<Threats>
<Threat Type="Impact">
<Description>High</Description>
</Threat>
</Threats>
<CVSSScoreSets>
<ScoreSet>
<BaseScore>7.0</BaseScore>
<Vector>AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H</Vector>
</ScoreSet>
</CVSSScoreSets>
<Remediations>
<Remediation Type="Vendor Fix">
<Description>jetty security update</Description>
<DATE>2021-03-05</DATE>
<URL>https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1052</URL>
</Remediation>
</Remediations>
</Vulnerability>
</cvrfdoc>
Reference in New Issue View Git Blame Copy Permalink