HomePentest-Tools.com Logo

Eclipse Jetty Information Disclosure Vulnerability (GHSA-vjv5-gp2w-65vm) - Windows CVE-2021-34429

CVSSv3 Score
Vulnerability description

Eclipse Jetty is prone to an information disclosure vulnerability.

Risk description

URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164. The default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to /%u002e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.


Update to version 9.4.43, 10.0.6, 11.0.6 or later. Please see the referenced vendor advisory for a possible workaround.

Not available
Detectable with
Network Scanner
Scan engine
Exploitable with Sniper
CVE Published
Jul 15, 2021
Detection added at
Software Type
Not available
Not available
Not available