#VU48942 Race condition in Jetty - CVE-2020-27216
Published: October 23, 2020 / Updated: December 13, 2020
Vulnerability identifier: #VU48942
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Clear
CVE-ID: CVE-2020-27216
CWE-ID: CWE-362
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Jetty
Jetty
Software vendor:
Eclipse
Eclipse
Description
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a race condition. On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Remediation
Install updates from vendor's website.
External links
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053
- https://lists.apache.org/thread.html/r07525dc424ed69b3919618599e762f9ac03791490ca9d724f2241442@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r09b345099b4f88d2bed7f195a96145849243fb4e53661aa3bcf4c176@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r0df8fe10fc36028cf6d0381ab66510917d0d68bc5ef7042001d03830@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r0e9efe032cc65433251ee6470c66c334d4e7db9101e24cf91a3961f2@%3Ccommits.directory.apache.org%3E
- https://lists.apache.org/thread.html/r0f5e9b93133ef3aaf31484bc3e15cc4b85f8af0fe4de2dacd9379d72@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r100c5c7586a23a19fdb54d8a32e17cd0944bdaa46277b35c397056f6@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r18b6f10d9939419bae9c225d5058c97533cb376c9d6d0a0733ddd48d@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1d45051310b11c6d6476f20d71b08ea97cb76846cbf61d196bac1c3f@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1dbb87c9255ecefadd8de514fa1d35c1d493c0527d7672cf40505d04@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r1ed79516bd6d248ea9f0e704dbfd7de740d5a75b71c7be8699fec824@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2d17b2a4803096ba427f3575599ea29b55f5cf9dbc1f12ba044cae1a@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r3a763de620be72b6d74f46ec4bf39c9f35f8a0b39993212c0ac778ec@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r3e05ab0922876e74fea975d70af82b98580f4c14ba643c4f8a9e3a94@%3Cissues.beam.apache.org%3E
- https://lists.apache.org/thread.html/r4f29fb24639ebc5d15fc477656ebc2b3aa00fcfbe197000009c26b40@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r5494fdaf4a0a42a15c49841ba7ae577d466d09239ee1050458da0f29@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r568d354961fa88f206dc345411fb11d245c6dc1a8da3e80187fc6706@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r59e0878013d329dcc481eeafebdb0ee445b1e2852d0c4827b1ddaff2@%3Cissues.beam.apache.org%3E
- https://lists.apache.org/thread.html/r66e99d973fd79ddbcb3fbdb24f4767fe9b911f5b0abb05d7b6f65801@%3Ccommits.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r769411eb43dd9ef77665700deb7fc491fc3ceb532914260c90b56f2f@%3Cissues.beam.apache.org%3E
- https://lists.apache.org/thread.html/r7da5ae60d7973e8894cfe92f49ecb5b47417eefab4c77cc87514d3cf@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r874688141495df766e62be095f1dfb0bf4a24ca0340d8e0215c03fab@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r93d5e81e879120d8d87925dbdd4045cb3afa9b066f4370f60b626ce3@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/ra1f19625cc67ac1b459c558f2ea5647d71ce51c6fe4f4cb03baec849@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/ra55e04d5a73afcb8383f4386e2b26832c6e3972e53827021ab885943@%3Ccommits.shiro.apache.org%3E
- https://lists.apache.org/thread.html/ra5b7313d8cc9411db6790adfba33f2cf0665cb77adb7b02043c95867@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/rad255c736fad46135f1339408cb0147d0671e45c376c3be85ceeec1a@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/raf9c581b793c30ff8f55f2415c7bd337eb69775aae607bf9ed1b16fb@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rafb023a7c61180a1027819678eb2068b0b60cd5c2559cb8490e26c81@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rb8c007f87dc57731a7b9a3b05364530422535b7e0bc6a0c5b68d4d55@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/rbc5a8d7a0a13bc8152d427a7e9097cdeb139c6cfe111b2f00f26d16b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rc2e24756d28580eeac811c5c6a12012c9f424b6e5bffb89f98ee3d03@%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/rc4b972ea10c5a65c6a88a6e233778718ab9af7f484affdd5e5de0cff@%3Ccommits.felix.apache.org%3E
- https://lists.apache.org/thread.html/rd58b60ab2e49ebf21022e59e280feb25899ff785c88f31fe314aa5b9@%3Ccommits.shiro.apache.org%3E
- https://lists.apache.org/thread.html/rdbf1cd0ab330c032f3a09b453cb6405dccc905ad53765323bddab957@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rde11c433675143d8d27551c3d9e821fe1955f1551a518033d3716553@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rde782fd8e133f7e04e50c8aaa4774df524367764eb5b85bf60d96747@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/re08b03cd1754b32f342664eead415af48092c630c8e3e0deba862a26@%3Ccommits.shiro.apache.org%3E
- https://lists.apache.org/thread.html/re5706141ca397587f7ee0f500a39ccc590a41f802fc125fc135cb92f@%3Cnotifications.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rfe6ba83d14545e982400dea89e68b10113cb5202a3dcb558ce64842d@%3Cissues.zookeeper.apache.org%3E
- https://security.netapp.com/advisory/ntap-20201123-0005/