CVE-2021-28164

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Published: Apr 1, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-28164
GHSA: GHSA-v7ff-8wcx-gmc5
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
eclipse / jetty	9.4.37-20210219	9.4.37-20210219.x
eclipse / jetty	9.4.38-20210224	9.4.38-20210224.x
netapp / virtual_storage_console	9.6	9.6.x
netapp / storage_replication_adapter_for_clustered_data_ontap	9.6	9.6.x
netapp / vasa_provider_for_clustered_data_ontap	9.6	9.6.x
netapp / e-series_santricity_os_controller	11.0	11.70.1.x
oracle / banking_digital_experience	20.1	20.1.x
oracle / autovue_for_agile_product_lifecycle_management	21.0.2	21.0.2.x
oracle / siebel_core_-_automation	-	21.9.x
oracle / communications_session_route_manager	8.0.0	8.2.4.x
oracle / banking_digital_experience	21.1	21.1.x
oracle / banking_apis	20.1	20.1.x
oracle / banking_apis	21.1	21.1.x
org.eclipse.jetty / jetty-webapp	9.4.37	9.4.39

Vulnerability Database

289,599

CVE-2021-28164