Vulnerability Description
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | 9.4.37 |
| Netapp | Cloud Manager | - |
| Netapp | E-Series Performance Analyzer | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Element Plug-In For Vcenter Server | - |
| Netapp | Santricity Cloud Connector | - |
| Netapp | Snapcenter | - |
| Netapp | Snapcenter Plug-In | - |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | >= 9.6 |
| Netapp | Vasa Provider For Clustered Data Ontap | >= 9.6 |
| Netapp | Virtual Storage Console | >= 9.6 |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Banking Apis | 20.1 |
| Oracle | Banking Digital Experience | 20.1 |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.4 |
| Oracle | Siebel Core - Automation | <= 21.9 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-DExploitThird Party AdvisoryVDB Entry
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5MitigationThird Party Advisory
- https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9
- https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc0
- https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16
- https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6
- https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f107129
- https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd7
- https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5
- https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9d
- https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918
- https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e99
- https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92
- https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e00
- https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a30
FAQ
What is CVE-2021-28164?
CVE-2021-28164 is a vulnerability with a CVSS score of 5.3 (MEDIUM). In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF direct...
How severe is CVE-2021-28164?
CVE-2021-28164 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-28164?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Netapp Cloud Manager, Netapp E-Series Performance Analyzer, Netapp E-Series Santricity Os Controller, Netapp E-Series Santricity Web Services.