CVE-2020-27216
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
EPSS 0.07% · 22.2th percentile
Risk Scores
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | jetty | 0, 6.1.26-5ubuntu0.1, 6.1.26-5 |
| Ubuntu:16.04:LTS | jetty9 | 9.2.14-1, 0 |
| Ubuntu:14.04:LTS | jetty | 0, 6.1.26-1ubuntu1, 6.1.26-1ubuntu1.1 |
| Ubuntu:18.04:LTS | jetty9 | 9.2.22-2, 9.2.22-3, 0 |
| Ubuntu:16.04:LTS | jetty8 | 8.1.17-2, 8.1.18-2, 8.1.19-1 |
| Ubuntu:14.04:LTS | jetty8 | 8.1.3-8, 0, 8.1.3-9 |
| Ubuntu:20.04:LTS | jetty9 | 9.4.26-1, 0, 9.4.18-2build2 |
Exploit Intelligence
- CIRCL seen: CVE-2020-27216 (circl-sighting)
- [shiro-commits] 20201104 [GitHub] [shiro] coheigea opened a new pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 (circl)
- [directory-commits] 20201104 [directory-server] branch master updated: Updating Jetty to 9.4.33 to fix CVE-2020-27216 (circl)
- [kafka-jira] 20201104 [GitHub] [kafka] niteshmor opened a new pull request #9556: MINOR: Update jetty to 9.4.33 (circl)
- [shiro-commits] 20201104 [GitHub] [shiro] fpapon merged pull request #262: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 (circl)
- [shiro-commits] 20201104 [shiro] branch master updated: Update Jetty to 9.4.33.v20201020 to fix CVE-2020-27216 (circl)
- [druid-commits] 20201106 [GitHub] [druid] suneet-s opened a new pull request #10563: Bump jetty to latest version (circl)
- [beam-issues] 20201110 [jira] [Updated] (BEAM-11227) Upgrade beam-vendor-grpc-1_26_0-0.3 to fix CVE-2020-27216 (circl)
- [zookeeper-dev] 20201123 Owasp test failing - Jetty 9.4.32 - CVE-2020-27216 (circl)
- [zookeeper-issues] 20201123 [jira] [Created] (ZOOKEEPER-4017) Owasp check failing - Jetty 9.4.32 - CVE-2020-27216 (circl)
…and 152 more exploits
Timeline
- Oct 23, 2020 CVE Published
- Oct 23, 2020 PoC Published
- Apr 14, 2021 EPSS Score
- May 26, 2021 EPSS Score
- Jun 6, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 1, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-27216 third-party-advisory
- https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921 third-party-advisory
- https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb third-party-advisory
- https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f third-party-advisory
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6 third-party-advisory
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-g3wg-6mcf-8jj6#advisory-comment-63053 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-27216 third-party-advisory