What is CVE-2021-28163?

This article covers a low-severity vulnerability in Eclipse Jetty affecting versions 9.4.32 to 11.0.1. Organizations should assess their risk and apply mitigations as necessary.

What is the severity of CVE-2021-28163?

CVE-2021-28163 has a severity rating of LOW with a CVSS base score of 2.7.

CVE-2021-28163 | Low Vulnerability in Eclipse Jetty

In Eclipse Jetty versions 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, a vulnerability has been identified that allows for the inadvertent deployment of web applications and their contents when a symlink is used for the webapps directory. This misconfiguration can lead to the exposure of sensitive information contained in that directory.

The severity of this vulnerability is classified as low, with a CVSS score of 2.7. Despite its low severity, the potential for misconfiguration could pose a risk to organizations using these versions of Eclipse Jetty, particularly if sensitive data is served inadvertently.

As this vulnerability is not actively exploited according to current intelligence, organizations are advised to assess their use of affected versions and prioritize their patching efforts accordingly.

Organizations should address this vulnerability in their patch cycle to reduce the risk of exposure and ensure secure configuration management.

The following section provides more detailed information about the vulnerability.

Vulnerability Details

The vulnerability allows for the deployment of unintended content due to the use of a symlink for the webapps directory in Eclipse Jetty. The CVSS score of 2.7 indicates a low severity, with impacts primarily limited to confidentiality.

The attack vector is network-based, requiring high privileges to exploit, but does not require user interaction. The vulnerability falls under two CWEs: CWE-200 (Information Exposure) and CWE-59 (Improper Link Resolution), highlighting the potential for misconfiguration leading to sensitive data exposure.

Published on April 1, 2021, this vulnerability has since been modified, and organizations using affected versions should consider upgrading to versions where this issue has been resolved.

Technical Analysis

The root cause of this vulnerability lies in the misconfiguration of symlinks in the webapps directory. Attackers who can manipulate these configurations may inadvertently serve sensitive files or applications that should remain private.

While the attack complexity is low, the privileges required are high, indicating that this vulnerability is more likely to be exploited by insiders or those with access to the server.

The impact on confidentiality is low, meaning that while sensitive information could be exposed, the extent of the exposure may be limited. The integrity and availability impacts are negligible, underscoring the relatively contained nature of this vulnerability.

Risk & Impact Analysis

Risk to organizations includes potential exposure of sensitive application data when a symlink is improperly configured. Given the low CVSS score, the urgency to patch is moderate, but organizations should not overlook the importance of secure configurations.

Organizations should schedule remediation of this vulnerability, particularly in environments where sensitive data is processed or stored. The potential blast radius, although limited, could still result in significant data exposure if not addressed.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions of Eclipse Jetty from 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1 are affected by this vulnerability. Organizations should ensure they are using patched versions to mitigate risk.

Mitigation & Remediation

Organizations should prioritize upgrading to non-vulnerable versions of Eclipse Jetty. If immediate upgrading is not possible, consider implementing configuration changes to remove symlink usage in the webapps directory.

For more comprehensive security, organizations may benefit from services such as penetration testing that evaluate security configurations.

Detection Guidance

Monitoring for unusual access patterns in the webapps directory is crucial. Log indicators of unauthorized access attempts or unexpected file accesses to identify potential exploitation.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of proper configuration management in application servers. Security teams should ensure that symlinks are not misconfigured to expose sensitive content.

As part of a comprehensive security strategy, organizations should consider deploying solutions that offer application security assessments to identify such vulnerabilities before they can be exploited.

Additionally, organizations may enhance their security posture by utilizing web application penetration testing as part of their routine security evaluations.

By adopting these practices, organizations can effectively mitigate the risks associated with vulnerabilities like CVE-2021-28163.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2021-28163: Low Vulnerability in Eclipse Jetty