CVE-2021-28164
Jetty 9.4.37.v20210219 - Information Disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
5Exploited in Wild
-Decision
Descriptions
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
En Eclipse Jetty versiones 9.4.37.v20210219 hasta 9.4.38.v20210224, el modo de cumplimiento predeterminado permite a unas peticiones con URI que contienen segmentos %2e o %2e%2e acceder a recursos protegidos dentro del directorio WEB-INF. Por ejemplo, una petición a /context/%2e/WEB-INF/web.xml puede recuperar el archivo web.xml. Esto puede divulgar información confidencial sobre la implementación de una aplicación web.
In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms. This release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section. Issues addressed include bypass, denial of service, information leakage, resource exhaustion, and traversal vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-03-12 CVE Reserved
- 2021-04-01 CVE Published
- 2021-10-22 First Exploit
- 2024-08-03 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CAPEC
References (31)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/180705 | 2024-08-31 | |
| https://packetstorm.news/files/id/164590 | 2021-10-22 | |
| https://www.exploit-db.com/exploits/50438 | 2021-10-22 | |
| https://github.com/jammy0903/-jettyCVE-2021-28164- | 2024-10-02 | |
| http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html | 2024-08-03 |
| URL | Date | SRC |
|---|---|---|
| https://www.oracle.com/security-alerts/cpujan2022.html | 2023-11-07 | |
| https://www.oracle.com/security-alerts/cpuoct2021.html | 2023-11-07 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2021-28164 | 2022-09-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1945712 | 2022-09-09 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 9.4.37 Search vendor "Eclipse" for product "Jetty" and version "9.4.37" | 20210219 |
Affected
| ||||||
| Eclipse Search vendor "Eclipse" | Jetty Search vendor "Eclipse" for product "Jetty" | 9.4.38 Search vendor "Eclipse" for product "Jetty" and version "9.4.38" | 20210224 |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Manager Search vendor "Netapp" for product "Cloud Manager" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller" | >= 11.0 <= 11.70.1 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.70.1" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | E-series Santricity Web Services Search vendor "Netapp" for product "E-series Santricity Web Services" | - | web_services_proxy |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Element Plug-in For Vcenter Server Search vendor "Netapp" for product "Element Plug-in For Vcenter Server" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Santricity Cloud Connector Search vendor "Netapp" for product "Santricity Cloud Connector" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Search vendor "Netapp" for product "Snapcenter" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Snapcenter Plug-in Search vendor "Netapp" for product "Snapcenter Plug-in" | - | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Storage Replication Adapter For Clustered Data Ontap Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" | >= 9.6 Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" and version " >= 9.6" | vmware_vsphere |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Vasa Provider For Clustered Data Ontap Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" | >= 9.6 Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version " >= 9.6" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Virtual Storage Console Search vendor "Netapp" for product "Virtual Storage Console" | >= 9.6 Search vendor "Netapp" for product "Virtual Storage Console" and version " >= 9.6" | vmware_vsphere |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" | 21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 20.1 Search vendor "Oracle" for product "Banking Apis" and version "20.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Apis Search vendor "Oracle" for product "Banking Apis" | 21.1 Search vendor "Oracle" for product "Banking Apis" and version "21.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience" | 21.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager" | >= 8.0.0 <= 8.2.4 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4" | - |
Affected
| ||||||
| Oracle Search vendor "Oracle" | Siebel Core - Automation Search vendor "Oracle" for product "Siebel Core - Automation" | <= 21.9 Search vendor "Oracle" for product "Siebel Core - Automation" and version " <= 21.9" | - |
Affected
| ||||||