CVE-2021-34429
Last modified
CVE-2021-34429 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.. EPSS estimates a 99.30% chance of exploitation in the next 30 days.
Description
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | >= 9.4.37, < 9.4.43 |
| Eclipse | Jetty | >= 10.0.1, < 10.0.6 |
| Eclipse | Jetty | >= 11.0.1, < 11.0.6 |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.1 |
| Netapp | E-Series Santricity Web Services | All versions |
| Netapp | Element Plug-In For Vcenter Server | All versions |
| Netapp | Hci Management Node | All versions |
| Netapp | Snap Creator Framework | All versions |
| Netapp | Snapcenter Plug-In | All versions |
| Netapp | Solidfire | All versions |
| Oracle | Autovue For Agile Product Lifecycle Management | 21.0.2 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Cloud Native Core Security Edge Protection Proxy | 1.5.0 |
| Oracle | Communications Cloud Native Core Service Communication Proxy | 1.14.0 |
| Oracle | Communications Cloud Native Core Unified Data Repository | 1.14.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.5.0.2 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.2.0 |
| Oracle | Financial Services Crime And Compliance Management Studio | 8.0.8.3.0 |
| Oracle | Rest Data Services | < 22.1.1 |
| Oracle | Retail Eftlink | 20.0.1 |
| Oracle | Stream Analytics | < 19.1.0.0.6.4 |
| Oracle | Stream Analytics | 19c |
References
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vmExploit, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210819-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vmExploit, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20210819-0006/Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-34429?
How severe is CVE-2021-34429?
How do I fix CVE-2021-34429?
Are you affected by CVE-2021-34429?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST