PT-2021-6553 · Eclipse+2 · Eclipse Jetty+2

Published

2021-07-15

Updated

2025-09-29

CVE-2021-34429

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.37 through 9.4.42 Eclipse Jetty versions 10.0.1 through 10.0.5 Eclipse Jetty versions 11.0.1 through 11.0.5

Description The issue allows an attacker to craft URIs using encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is related to improper authorization in the Jetty servlet container, which can be exploited by a remote attacker to gain access to confidential data.

Recommendations For Eclipse Jetty versions 9.4.37 through 9.4.42, update to a version outside of this range to resolve the issue. For Eclipse Jetty versions 10.0.1 through 10.0.5, update to a version outside of this range to resolve the issue. For Eclipse Jetty versions 11.0.1 through 11.0.5, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the WEB-INF directory to minimize the risk of exploitation.

Exploit

Fix

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-551CWE-863

Related Identifiers

ALSA-2024_1444

ALSA-2025_16880

ALT-PU-2024-16002

ALT-PU-2024-16022

ALT-PU-2024-16072

BDU:2022-01815

CVE-2021-34429

GHSA-VJV5-GP2W-65VM

OPENSUSE-SU-2021:2838-1

OPENSUSE-SU-2021_2838-1

OPENSUSE-SU-2024:10878-1

SUSE-SU-2021:2838-1

SUSE-SU-2021_2838-1

Affected Products

Alt Linux

Eclipse Jetty

Suse

PT-2021-6553 · Eclipse+2 · Eclipse Jetty+2

CVE-2021-34429

Weakness Enumeration

Related Identifiers

Affected Products

References · 103