CVE-2021-28164, GHSA-v7ff-8wcx-gmc5
maven/org.eclipse.jetty/jetty-client
Information Exposure
In Eclipse Jetty v20210219 to v20210224, the default compliance mode allows requests with URIs that contain %2e
o`%2e%2e
segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml
can retrieve the web.xml
file. This can reveal sensitive information regarding the implementation of a web application.
All versions starting from 9.4.37 up to 9.4.38
Upgrade to version 9.4.38.v20210224 or above.
2021-04-10
source |