CVE-2021-28169

 

Published at: - 09-06-2021 04:15

Last modified: - 26-10-2022 01:40

Total changes: - 19

Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.html` can retrieve the web.html file. This can reveal sensitive information regarding the implementation of a web application.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

 

Verification logic

 

Reference

• https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
• [kafka-users] 20210617 vulnerabilities-Mailing List, Third Party Advisory
• [debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update-Mailing List, Third Party Advisory
• [kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41-Mailing List, Third Party Advisory
• [kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41-Mailing List, Third Party Advisory
• [kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41-Mailing List, Third Party Advisory
• [kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41-Mailing List, Third Party Advisory
• [kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41-Mailing List, Third Party Advisory
• [kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• https://security.netapp.com/advisory/ntap-20210727-0009/
• DSA-4949-Third Party Advisory
• [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42-Mailing List, Third Party Advisory
• https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E
• https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpuapr2022.html

 

Keywords

NVD

 

CVE-2021-28169

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures