CVE-2021-28164

Information Exposure in maven/org.eclipse.jetty/jetty-client

Identifiers

CVE-2021-28164, GHSA-v7ff-8wcx-gmc5

Package Slug

maven/org.eclipse.jetty/jetty-client

Vulnerability

Information Exposure

Description

In Eclipse Jetty v20210219 to v20210224, the default compliance mode allows requests with URIs that contain %2e o`%2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Affected Versions

All versions starting from 9.4.37 up to 9.4.38

Solution

Upgrade to version 9.4.38.v20210224 or above.

Last Modified

2021-04-10

source