PT-2021-7303 · Eclipse+1 · Eclipse Jetty+1

Published

2021-04-01

Updated

2023-11-10

CVE-2021-28164

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions 9.4.37.v20210219 through 9.4.38.v20210224

Description The default compliance mode in Eclipse Jetty allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example, a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file, revealing sensitive information regarding the implementation of a web application.

Recommendations For Eclipse Jetty versions 9.4.37.v20210219 through 9.4.38.v20210224, update the start.d/http.ini file to include jetty.http.compliance=RFC7230 NO AMBIGUOUS URIS to enable the HttpCompliance mode RFC7230 NO AMBIGUOUS URIS as a workaround.

Exploit

Fix

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-863CWE-551

Related Identifiers

BDU:2022-05510

CVE-2021-28164

GHSA-V7FF-8WCX-GMC5

OPENSUSE-SU-2021:2005-1

OPENSUSE-SU-2021_2005-1

OPENSUSE-SU-2024:10878-1

RHSA-2021:1509

SUSE-SU-2021:2005-1

Affected Products

Eclipse Jetty

Suse

PT-2021-7303 · Eclipse+1 · Eclipse Jetty+1

CVE-2021-28164

Weakness Enumeration

Related Identifiers

Affected Products

References · 86