Akshay Kotecha Jain created KNOX-2615:
-----------------------------------------
Summary: Upgrade to jetty-webapp.9.4.33 due to CVE-2020-27216
Key: KNOX-2615
URL: https://issues.apache.org/jira/browse/KNOX-2615
Project: Apache Knox
Issue Type: Improvement
Reporter: Akshay Kotecha Jain
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru
10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix-like systems, the
system's temporary directory is shared between all users on that system. A
collocated user can observe the process of creating a temporary subdirectory in
the shared temporary directory and race to complete the creation of the
temporary subdirectory. If the attacker wins the race then they will have read
and write permission to the subdirectory used to unpack web applications,
including their WEB-INF/lib jar files and JSP files. If any code is ever
executed out of this temporary directory, this can lead to a local privilege
escalation vulnerability.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
