Vulnerability Description
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | >= 9.4.37, < 9.4.43 |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Netapp | E-Series Santricity Web Services | - |
| Netapp | Element Plug-In For Vcenter Server | - |
| Netapp | Hci Management Node | - |
| Netapp | Snap Creator Framework | - |
| Netapp | Snapcenter Plug-In | - |
| Netapp | Solidfire | - |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.5.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Rest Data Services | < 22.1.1 |
| Oracle | Retail Eftlink | 20.0.1 |
| Oracle | Stream Analytics | < 19.1.0.0.6.4 |
Related Weaknesses (CWE)
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vmExploitThird Party Advisory
- https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a9
- https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e897
- https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee54
- https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16
- https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e76625851
- https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8
- https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f107129
- https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324
- https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb7
- https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72
- https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc
- https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d
- https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b
- https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb
FAQ
What is CVE-2021-34429?
CVE-2021-34429 is a vulnerability with a CVSS score of 5.3 (MEDIUM). For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security co...
How severe is CVE-2021-34429?
CVE-2021-34429 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-34429?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Netapp E-Series Santricity Os Controller, Netapp E-Series Santricity Web Services, Netapp Element Plug-In For Vcenter Server, Netapp Hci Management Node.