Eclipse Jetty Information Disclosure Vulnerability (GHSA-vjv5-gp2w-65vm) - Windows CVE-2021-34429
- CVSSv3 Score
- Vulnerability description
Eclipse Jetty is prone to an information disclosure vulnerability.
- Risk description
URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164. The default compliance mode allows requests with URIs that contain a %u002e segment to access protected resources within the WEB-INF directory. For example, a request to /%u002e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml cal also retrieve the web.xml file.
Update to version 9.4.43, 10.0.6, 11.0.6 or later. Please see the referenced vendor advisory for a possible workaround.
- Not available