CVE-2021-28169
09.06.2021, 02:15
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| eclipse | jetty | 𝑥 < 9.4.41 |
| eclipse | jetty | 10.0.0 ≤ 𝑥 < 10.0.3 |
| eclipse | jetty | 11.0.0 ≤ 𝑥 < 11.0.3 |
| debian | debian_linux | 9.0 |
| debian | debian_linux | 10.0 |
| oracle | communications_cloud_native_core_policy | 1.14.0 |
| oracle | rest_data_services | 𝑥 < 21.3 |
| netapp | active_iq_unified_manager | - |
| netapp | active_iq_unified_manager | - |
| netapp | hci | - |
| netapp | management_services_for_element_software | - |
| netapp | snap_creator_framework | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| jetty |
| ||||||||||||||||||||||||
| jetty8 |
| ||||||||||||||||||||||||
| jetty9 |
|
openSUSE / SLES Releases
openSUSE Product | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| jetty-http |
| ||||||||||||||||||||||||||||||||||||
| jetty-io |
| ||||||||||||||||||||||||||||||||||||
| jetty-security |
| ||||||||||||||||||||||||||||||||||||
| jetty-server |
| ||||||||||||||||||||||||||||||||||||
| jetty-servlet |
| ||||||||||||||||||||||||||||||||||||
| jetty-util |
| ||||||||||||||||||||||||||||||||||||
| jetty-util-ajax |
|
Amazon Linux Releases
Amazon Package | |||
|---|---|---|---|
| jetty-annotations |
| ||
| jetty-ant |
| ||
| jetty-client |
| ||
| jetty-continuation |
| ||
| jetty-deploy |
| ||
| jetty-http |
| ||
| jetty-io |
| ||
| jetty-jaas |
| ||
| jetty-jaspi |
| ||
| jetty-javadoc |
| ||
| jetty-jmx |
| ||
| jetty-jndi |
| ||
| jetty-jsp |
| ||
| jetty-jspc-maven-plugin |
| ||
| jetty-maven-plugin |
| ||
| jetty-monitor |
| ||
| jetty-plus |
| ||
| jetty-project |
| ||
| jetty-proxy |
| ||
| jetty-rewrite |
| ||
| jetty-runner |
| ||
| jetty-security |
| ||
| jetty-server |
| ||
| jetty-servlet |
| ||
| jetty-servlets |
| ||
| jetty-start |
| ||
| jetty-util |
| ||
| jetty-util-ajax |
| ||
| jetty-webapp |
| ||
| jetty-websocket-api |
| ||
| jetty-websocket-client |
| ||
| jetty-websocket-common |
| ||
| jetty-websocket-parent |
| ||
| jetty-websocket-server |
| ||
| jetty-websocket-servlet |
| ||
| jetty-xml |
|
Common Weakness Enumeration
References