CVE-2021-28164: Input Validation
First published: Thu Apr 01 2021(Updated: )
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper input validation by the default compliance mode. By sending specially-crafted requests with URIs that contain %2e or %2e%2e segments, an attacker could exploit this vulnerability to access protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
Credit: emo@eclipse.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-eclipse-jetty | <0:9.4.40-1.1.el7_9 | 0:9.4.40-1.1.el7_9 |
| redhat/jetty | <9.4.39 | 9.4.39 |
| Eclipse Jetty | =9.4.37-20210219 | |
| Eclipse Jetty | =9.4.38-20210224 | |
| NetApp Cloud Manager | ||
| Netapp E-series Performance Analyzer | ||
| NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
| Netapp E-series Santricity Web Services Web Services Proxy | ||
| Netapp Element Plug-in For Vcenter Server | ||
| Netapp Santricity Cloud Connector | ||
| Netapp Snapcenter | ||
| Netapp Snapcenter Plug-in Vmware Vsphere | ||
| Netapp Storage Replication Adapter For Clustered Data Ontap Vmware Vsphere | >=9.6 | |
| Netapp Vasa Provider For Clustered Data Ontap | >=9.6 | |
| Netapp Virtual Storage Console Vmware Vsphere | >=9.6 | |
| Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
| Oracle Banking Apis | =20.1 | |
| Oracle Banking Apis | =21.1 | |
| Oracle Banking Digital Experience | =20.1 | |
| Oracle Banking Digital Experience | =21.1 | |
| Oracle Communications Session Route Manager | >=8.0.0<=8.2.4 | |
| Oracle Siebel Core - Automation | <=21.9 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/199304
- https://www.ibm.com/support/pages/node/6466729 (Advisory)
- http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
- https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E
- https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E
- https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E
- https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210611-0006/
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1945713
- https://github.com/eclipse/jetty.project/commit/d80c622b005c044e93f585c231b420a29371f6e0
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://access.redhat.com/errata/RHSA-2021:1509
- https://access.redhat.com/security/cve/cve-2021-28164
- https://access.redhat.com/errata/RHSA-2021:1560
- https://access.redhat.com/errata/RHSA-2021:2689
- https://access.redhat.com/errata/RHSA-2021:3225
- https://access.redhat.com/errata/RHSA-2021:3700
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/errata/RHSA-2021:5134
- https://access.redhat.com/errata/RHSA-2022:6407
- https://bugzilla.redhat.com/show_bug.cgi?id=1945712
- https://www.cve.org/CVERecord?id=CVE-2021-28164 https://nvd.nist.gov/vuln/detail/CVE-2021-28164 https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2021-28164?
The severity of CVE-2021-28164 is medium with a CVSS score of 5.3.
How does CVE-2021-28164 work?
CVE-2021-28164 allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory.
Which versions of Jetty are affected by CVE-2021-28164?
Eclipse Jetty versions 9.4.37.v20210219 to 9.4.38.v20210224 are affected by CVE-2021-28164.
How can I fix CVE-2021-28164?
Update your Eclipse Jetty installation to version 9.4.40-1.1.el7_9 or higher, or update your Jetty installation to version 9.4.39 or higher.
Where can I find more information about CVE-2021-28164?
You can find more information about CVE-2021-28164 on the CVE website, NVD website, GitHub security advisories, Red Hat Bugzilla, and Red Hat Errata.
- collector/redhat-cve
- collector/ibm-support
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/last-modified-date
- agent/author
- agent/weakness
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-28164
- agent/software-canonical-lookup
- agent/event
- agent/description
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/eclipse
- canonical/eclipse jetty
- version/eclipse jetty/9.4.37-20210219
- version/eclipse jetty/9.4.38-20210224
- vendor/netapp
- canonical/netapp cloud manager
- canonical/netapp e-series performance analyzer
- canonical/netapp e-series santricity os controller
- version/netapp e-series santricity os controller/11.0
- version/netapp e-series santricity os controller/11.70.1
- canonical/netapp e-series santricity web services web services proxy
- canonical/netapp element plug-in for vcenter server
- canonical/netapp santricity cloud connector
- canonical/netapp snapcenter
- canonical/netapp snapcenter plug-in vmware vsphere
- canonical/netapp storage replication adapter for clustered data ontap vmware vsphere
- version/netapp storage replication adapter for clustered data ontap vmware vsphere/9.6
- canonical/netapp vasa provider for clustered data ontap
- version/netapp vasa provider for clustered data ontap/9.6
- canonical/netapp virtual storage console vmware vsphere
- version/netapp virtual storage console vmware vsphere/9.6
- vendor/oracle
- canonical/oracle autovue for agile product lifecycle management
- version/oracle autovue for agile product lifecycle management/21.0.2
- canonical/oracle banking apis
- version/oracle banking apis/20.1
- version/oracle banking apis/21.1
- canonical/oracle banking digital experience
- version/oracle banking digital experience/20.1
- version/oracle banking digital experience/21.1
- canonical/oracle communications session route manager
- version/oracle communications session route manager/8.0.0
- version/oracle communications session route manager/8.2.4
- canonical/oracle siebel core - automation
- version/oracle siebel core - automation/21.9