CVE-2021-28169 (Medium) detected in jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar

Question

CVE-2021-28169 (Medium) detected in jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar

Opened this issue 2 years ago · 0 comments

mend-bolt-for-github commented 2 years ago

CVE-2021-28169 - Medium Severity Vulnerability

Vulnerable Libraries - jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar

jetty-http-9.4.17.v20190418.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar

Dependency Hierarchy:

jetty-server-9.4.17.v20190418.jar (Root Library)
- ❌ jetty-http-9.4.17.v20190418.jar (Vulnerable Library)

jetty-server-9.4.17.v20190418.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /canner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar

Dependency Hierarchy:

❌ jetty-server-9.4.17.v20190418.jar (Vulnerable Library)

Found in HEAD commit: 7baeabef941f276d373d889506fe0a0cf89f4ee6

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 9.4.41.v20210516

Step up your Open Source Security Game with Mend here