CVE-2021-28169

Name of the Vulnerable Software and Affected Versions Eclipse Jetty versions <= 9.4.40 Eclipse Jetty versions <= 10.0.2 Eclipse Jetty versions <= 11.0.2

Description The vulnerability in the Eclipse Jetty servlet container is related to the lack of protection for service data. Exploitation of this issue can allow a remote attacker to obtain confidential information. Specifically, requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory. For example, a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file, revealing sensitive information about the web application's implementation. This occurs due to the double decoding of the supplied path by the ConcatServlet and WelcomeFilter, allowing paths with a doubly encoded WEB-INF to bypass security checks.

Recommendations For Eclipse Jetty versions <= 9.4.40, update to version 9.4.41 or later. For Eclipse Jetty versions <= 10.0.2, update to version 10.0.3 or later. For Eclipse Jetty versions <= 11.0.2, update to version 11.0.3 or later. As a temporary workaround, consider deploying your own version of the ConcatServlet and/or the WelcomeFilter using the code from the latest version of Jetty.