First published: Tue Jun 08 2021(Updated: )
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jenkins | <0:2.289.3.1630554997-1.el8 | 0:2.289.3.1630554997-1.el8 |
IBM Cognos Command Center | <=10.2.4.1 | |
debian/jetty9 | 9.4.16-0+deb10u1 9.4.50-4+deb10u1 9.4.39-3+deb11u2 9.4.50-4+deb11u1 9.4.50-4+deb12u2 9.4.53-1 | |
redhat/jetty | <9.4.41 | 9.4.41 |
redhat/jetty | <10.0.3 | 10.0.3 |
redhat/jetty | <11.0.3 | 11.0.3 |
Eclipse Jetty | <9.4.41 | |
Eclipse Jetty | >=10.0.0<10.0.3 | |
Eclipse Jetty | >=11.0.0<11.0.3 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle REST Data Services | <21.3 | |
Netapp Active Iq Unified Manager Linux | ||
Netapp Active Iq Unified Manager Windows | ||
Netapp Hci | ||
Netapp Management Services For Element Software | ||
NetApp Snap Creator Framework |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-28169 is a vulnerability in Eclipse Jetty versions <= 9.4.40 <= 10.0.2 <= 11.0.2 that allows a remote attacker to obtain sensitive information from protected resources within the web application.
The severity of CVE-2021-28169 is medium, with a CVSS score of 5.3.
An attacker can exploit CVE-2021-28169 by sending a specially-crafted request using a doubly encoded path.
Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2 are affected by CVE-2021-28169.
To mitigate CVE-2021-28169, update Jetty to version 9.4.41, 10.0.3, or 11.0.3.