CVE-2021-28164

Jetty 9.4.37.v20210219 - Information Disclosure

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

En Eclipse Jetty versiones 9.4.37.v20210219 hasta 9.4.38.v20210224, el modo de cumplimiento predeterminado permite a unas peticiones con URI que contienen segmentos %2e o %2e%2e acceder a recursos protegidos dentro del directorio WEB-INF. Por ejemplo, una petición a /context/%2e/WEB-INF/web.xml puede recuperar el archivo web.xml. Esto puede divulgar información confidencial sobre la implementación de una aplicación web.

In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.

Jetty version 9.4.37.v20210219 suffers from an information disclosure vulnerability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-03-12 CVE Reserved
2021-04-01 CVE Published
2021-10-22 First Exploit
2024-08-03 CVE Updated
2024-09-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CAPEC

References (28)

URL	Tag	Source
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5	Mitigation
https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20210611-0006	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Not Applicable

URL	Date	SRC
https://www.exploit-db.com/exploits/50438	2021-10-22
http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html	2024-08-03

URL	Date	SRC
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2021-28164	2022-09-09
https://bugzilla.redhat.com/show_bug.cgi?id=1945712	2022-09-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				9.4.37 Search vendor "Eclipse" for product "Jetty" and version "9.4.37"		20210219		Affected
Eclipse Search vendor "Eclipse"		Jetty Search vendor "Eclipse" for product "Jetty"				9.4.38 Search vendor "Eclipse" for product "Jetty" and version "9.4.38"		20210224		Affected
Netapp Search vendor "Netapp"		Cloud Manager Search vendor "Netapp" for product "Cloud Manager"				-		-		Affected
Netapp Search vendor "Netapp"		E-series Performance Analyzer Search vendor "Netapp" for product "E-series Performance Analyzer"				-		-		Affected
Netapp Search vendor "Netapp"		E-series Santricity Os Controller Search vendor "Netapp" for product "E-series Santricity Os Controller"				>= 11.0 <= 11.70.1 Search vendor "Netapp" for product "E-series Santricity Os Controller" and version " >= 11.0 <= 11.70.1"		-		Affected
Netapp Search vendor "Netapp"		E-series Santricity Web Services Search vendor "Netapp" for product "E-series Santricity Web Services"				-		web_services_proxy		Affected
Netapp Search vendor "Netapp"		Element Plug-in For Vcenter Server Search vendor "Netapp" for product "Element Plug-in For Vcenter Server"				-		-		Affected
Netapp Search vendor "Netapp"		Santricity Cloud Connector Search vendor "Netapp" for product "Santricity Cloud Connector"				-		-		Affected
Netapp Search vendor "Netapp"		Snapcenter Search vendor "Netapp" for product "Snapcenter"				-		-		Affected
Netapp Search vendor "Netapp"		Snapcenter Plug-in Search vendor "Netapp" for product "Snapcenter Plug-in"				-		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Storage Replication Adapter For Clustered Data Ontap Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap"				>= 9.6 Search vendor "Netapp" for product "Storage Replication Adapter For Clustered Data Ontap" and version " >= 9.6"		vmware_vsphere		Affected
Netapp Search vendor "Netapp"		Vasa Provider For Clustered Data Ontap Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap"				>= 9.6 Search vendor "Netapp" for product "Vasa Provider For Clustered Data Ontap" and version " >= 9.6"		-		Affected
Netapp Search vendor "Netapp"		Virtual Storage Console Search vendor "Netapp" for product "Virtual Storage Console"				>= 9.6 Search vendor "Netapp" for product "Virtual Storage Console" and version " >= 9.6"		vmware_vsphere		Affected
Oracle Search vendor "Oracle"		Autovue For Agile Product Lifecycle Management Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management"				21.0.2 Search vendor "Oracle" for product "Autovue For Agile Product Lifecycle Management" and version "21.0.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Apis Search vendor "Oracle" for product "Banking Apis"				20.1 Search vendor "Oracle" for product "Banking Apis" and version "20.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Apis Search vendor "Oracle" for product "Banking Apis"				21.1 Search vendor "Oracle" for product "Banking Apis" and version "21.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				20.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "20.1"		-		Affected
Oracle Search vendor "Oracle"		Banking Digital Experience Search vendor "Oracle" for product "Banking Digital Experience"				21.1 Search vendor "Oracle" for product "Banking Digital Experience" and version "21.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.0.0 <= 8.2.4 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.0.0 <= 8.2.4"		-		Affected
Oracle Search vendor "Oracle"		Siebel Core - Automation Search vendor "Oracle" for product "Siebel Core - Automation"				<= 21.9 Search vendor "Oracle" for product "Siebel Core - Automation" and version " <= 21.9"		-		Affected