HomePentest-Tools.com Logo

Eclipse Jetty Information Disclosure Vulnerability (GHSA-vjv5-gp2w-65vm) - Windows CVE-2021-34429

Severity
CVSSv3 Score
5.3
Vulnerability description

Eclipse Jetty is prone to an information disclosure vulnerability.

Risk description

URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164. The default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to /%u002e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.

Recommendation

Update to version 9.4.43, 10.0.6, 11.0.6 or later. Please see the referenced vendor advisory for a possible workaround.

Codename
Not available
Detectable with
Network Scanner
Scan engine
OpenVAS
Exploitable with Sniper
No
CVE Published
Jul 15, 2021
Detection added at
Software Type
Not available
Vendor
Not available
Product
Not available