CVE-2021-28164
Last modified
CVE-2021-28164 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. EPSS estimates a 82.37% chance of exploitation in the next 30 days.
Description
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Eclipse | Jetty | 9.4.37 | 20210219 |
| Eclipse | Jetty | 9.4.38 | 20210224 |
| Netapp | Cloud Manager | All versions | — |
| Netapp | E-Series Performance Analyzer | All versions | — |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 | — |
| Netapp | E-Series Santricity Web Services | All versions | — |
| Netapp | Element Plug-In For Vcenter Server | All versions | — |
| Netapp | Santricity Cloud Connector | All versions | — |
| Netapp | Snapcenter | All versions | — |
| Netapp | Snapcenter Plug-In | All versions | — |
| Netapp | Storage Replication Adapter For Clustered Data Ontap | >= 9.6 | — |
| Netapp | Vasa Provider For Clustered Data Ontap | >= 9.6 | — |
| Netapp | Virtual Storage Console | >= 9.6 | — |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 | — |
| Oracle | Banking Apis | 20.1 | — |
| Oracle | Banking Apis | 21.1 | — |
| Oracle | Banking Digital Experience | 20.1 | — |
| Oracle | Banking Digital Experience | 21.1 | — |
| Oracle | Communications Session Route Manager | >= 8.0.0, <= 8.2.4 | — |
| Oracle | Siebel Core - Automation | <= 21.9 | — |
References
- http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.htmlExploit, Third Party Advisory, VDB Entry
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5Mitigation, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210611-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.htmlExploit, Third Party Advisory, VDB Entry
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5Mitigation, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210611-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlNot Applicable, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-28164?
How severe is CVE-2021-28164?
How do I fix CVE-2021-28164?
Are you affected by CVE-2021-28164?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST