CVE-2021-28169

CVE-2021-28169

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Published Jun 10, 2021

Issue #6263 eclipse/jetty.project

CVSS ScoreMedium

5.3

Vulnerabilities

CVE-2021-28169

Published Jun 10, 2021

Issue #6263 eclipse/jetty.project

CVSS ScoreMedium

5.3

CVE-2021-28169 Security Details

CVE ID: CVE-2021-28169
CWE: CWE-200
NVD-CWE-Other
CVE Description: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Published: Jun 10, 2021
CVSS Score & Severity: 5.3Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 90.260%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/eclipse/jetty/servlets/ConcatServlet.doGet(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V
JVMVulnerable params: 0
org/eclipse/jetty/servlets/WelcomeFilter.doFilter(Ljavax/servlet/ServletRequest;Ljavax/servlet/ServletResponse;Ljavax/servlet/FilterChain;)V
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #6263PROJECT
GitHub · eclipse/jetty.projectPROJECT

CVE-2021-28169 Security Details

CVE ID: CVE-2021-28169
CWE: CWE-200
NVD-CWE-Other
CVE Description: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Published: Jun 10, 2021
CVSS Score & Severity: 5.3Medium
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score: 90.260%
Malware: malware
KEV Status: Not in KEV Catalog: No known exploits
Vulnerable Methods: org/eclipse/jetty/servlets/ConcatServlet.doGet(Ljavax/servlet/http/HttpServletRequest;Ljavax/servlet/http/HttpServletResponse;)V
JVMVulnerable params: 0
org/eclipse/jetty/servlets/WelcomeFilter.doFilter(Ljavax/servlet/ServletRequest;Ljavax/servlet/ServletResponse;Ljavax/servlet/FilterChain;)V
JVMVulnerable params: 0
Affected Ecosystems: affected
Source: National Vulnerability Database
References: GitHub · Issue #6263PROJECT
GitHub · eclipse/jetty.projectPROJECT

Find vulnerabilities. Fix fast with AI.

CVE-2021-28169

CVE-2021-28169 Security Details

CVE-2021-28169 Security Details