CVE-2021-28169 (Medium) detected in jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar
Opened this issue · 0 comments
CVE-2021-28169 - Medium Severity Vulnerability
Vulnerable Libraries - jetty-http-9.4.17.v20190418.jar, jetty-server-9.4.17.v20190418.jar
jetty-http-9.4.17.v20190418.jar
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar
Dependency Hierarchy:
- jetty-server-9.4.17.v20190418.jar (Root Library)
- ❌ jetty-http-9.4.17.v20190418.jar (Vulnerable Library)
jetty-server-9.4.17.v20190418.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar
Dependency Hierarchy:
- ❌ jetty-server-9.4.17.v20190418.jar (Vulnerable Library)
Found in HEAD commit: 7baeabef941f276d373d889506fe0a0cf89f4ee6
Found in base branch: master
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516
Direct dependency fix Resolution (org.eclipse.jetty:jetty-server): 9.4.35.v20201120
Step up your Open Source Security Game with Mend here