First published: Thu Jul 15 2021(Updated: )
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
Credit: emo@eclipse.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jetty | <9.4.43 | 9.4.43 |
redhat/jetty | <10.0.6 | 10.0.6 |
redhat/jetty | <11.0.6 | 11.0.6 |
Eclipse Jetty | >=9.4.37<9.4.43 | |
Eclipse Jetty | >=10.0.1<10.0.6 | |
Eclipse Jetty | >=11.0.1<11.0.6 | |
NetApp E-Series SANtricity OS Controller | >=11.0<=11.70.1 | |
Netapp E-series Santricity Web Services Web Services Proxy | ||
Netapp Element Plug-in For Vcenter Server | ||
Netapp Hci Management Node | ||
NetApp Snap Creator Framework | ||
Netapp Snapcenter Plug-in Vmware Vsphere | ||
Netapp Solidfire | ||
Oracle Autovue For Agile Product Lifecycle Management | =21.0.2 | |
Oracle Communications Cloud Native Core Binding Support Function | =1.10.0 | |
Oracle Communications Cloud Native Core Security Edge Protection Proxy | =1.5.0 | |
Oracle Communications Cloud Native Core Service Communication Proxy | =1.14.0 | |
Oracle Communications Cloud Native Core Unified Data Repository | =1.14.0 | |
Oracle Communications Diameter Signaling Router | >=8.0.0.0<=8.5.0.2 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.2.0 | |
Oracle Financial Services Crime And Compliance Management Studio | =8.0.8.3.0 | |
Oracle REST Data Services | <22.1.1 | |
Oracle Retail Eftlink | =20.0.1 | |
Oracle Stream Analytics | <19.1.0.0.6.4 | |
Oracle Stream Analytics | =19c |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-34429 is a vulnerability in Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5 that allows crafted URIs to access the content of the WEB-INF directory and bypass security constraints.
The severity of CVE-2021-34429 is medium, with a CVSS score of 5.3.
The vulnerability can be exploited by crafting URIs using encoded characters to access the content of the WEB-INF directory and bypass security constraints.
Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5 are affected.
To fix CVE-2021-34429, upgrade to Jetty version 9.4.43, 10.0.6, or 11.0.6.