CVE-2021-28163: 
Java vulnerability analysis and mitigation

CVE-2021-28163 affects Eclipse Jetty versions 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1. The vulnerability was discovered in March 2021 and publicly disclosed in April 2021. When a user configures a webapps directory as a symlink, the contents of that directory are inadvertently deployed as a static webapp, potentially exposing sensitive information (Eclipse Advisory, NVD).

The vulnerability occurs when a symbolic link is used for the ${jetty.base}/webapps directory. In this scenario, the contents of the webapps directory are incorrectly deployed as a static web application, which can lead to unintended exposure of the directory contents and any other files that might be in that location (Eclipse Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NetApp Advisory).

If exploited, this vulnerability could lead to the disclosure of sensitive information contained within the webapps directory. The exposure includes not only the web applications themselves but also any additional content present in the directory structure (Eclipse Advisory).

The vulnerability has been fixed in Jetty versions 9.4.39, 10.0.2, and 11.0.2. Until patches can be applied, the primary workaround is to avoid using symlinks for the webapps directory (Eclipse Advisory). Various vendors have released patches for their products containing affected Jetty versions, including Red Hat, Fedora, and NetApp (NetApp Advisory).