dptetc/soapbox-race

CVE-2021-28169 (Medium) detected in jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar

Opened this issue · 0 comments

CVE-2021-28169 - Medium Severity Vulnerability

Vulnerable Libraries - jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar

jetty-http-9.4.17.v20190418.jar

The Eclipse Jetty Project

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar

Dependency Hierarchy:

  • jetty-server-9.4.17.v20190418.jar (Root Library)
    • jetty-http-9.4.17.v20190418.jar (Vulnerable Library)
jetty-server-9.4.17.v20190418.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /pom.xml

Path to vulnerable library: /canner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar

Dependency Hierarchy:

  • jetty-server-9.4.17.v20190418.jar (Vulnerable Library)

Found in HEAD commit: 7baeabef941f276d373d889506fe0a0cf89f4ee6

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516

Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 9.4.35.v20201120


Step up your Open Source Security Game with Mend here