CVE-2021-28164: Information Exposure
(updated )
In Eclipse Jetty the default compliance mode allows requests with URIs that contain %2e
or %2e%2e
segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml
can retrieve the web.xml
file. This can reveal sensitive information regarding the implementation of a web application.
References
Detect and mitigate CVE-2021-28164 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →