### Impact
If the `${jetty.base}` directory or the `${jetty.base}/webapps` directory is a symlink (soft link in Linux), the contents of the `${jetty.base}/webapps` directory may be deployed as a static web application, exposing the content of the directory for download.

For example, the problem manifests in the following `${jetty.base}`:
```$ tree demo-base/
demo-base/
├── etc
├── lib
├── resources
├── start.d
├── deploy
│ └── async-rest.war
└── webapps -> deploy

```

### Workarounds
Do not use a symlink

Affected Packages

Maven org.eclipse.jetty:jetty-deploy

Affected versions: 9.4.32 (fixed in 9.4.39)

Maven org.eclipse.jetty:jetty-deploy

Affected versions: 10.0.0 (fixed in 10.0.2)

Maven org.eclipse.jetty:jetty-deploy

Affected versions: 11.0.0 (fixed in 11.0.2)

Related CVEs

CVE-2021-28163

Key Information

GHSA ID

GHSA-j6qj-j888-vvgq

Published

April 6, 2021 5:32 PM

Last Modified

April 22, 2022 3:49 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.eclipse.jetty:jetty-deploy

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.