CVE-2021-28169
Summary
| CVE | CVE-2021-28169 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-09 02:15:00 UTC |
| Updated | 2023-11-07 03:32:00 UTC |
| Description | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Zookeeper | 3.5.9 | All | All | All |
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 9.0 | All | All | All |
| Application | Eclipse | Jetty | All | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Active Iq Unified Manager | - | All | All | All |
| Application | Netapp | Hci | - | All | All | All |
| Application | Netapp | Management Services For Element Software | - | All | All | All |
| Application | Netapp | Snap Creator Framework | - | All | All | All |
| Application | Oracle | Communications Cloud Native Core Policy | 1.14.0 | All | All | All |
| Application | Oracle | Rest Data Services | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Pony Mail! | MISC | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42 | lists.apache.org | ||
| github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq | CONFIRM | github.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| [kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| [kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41 | lists.apache.org | ||
| Debian -- Security Information -- DSA-4949-1 jetty9 | DEBIAN | www.debian.org | |
| lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34... | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| CVE-2021-28169 Eclipse Jetty Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Pony Mail! | MISC | lists.apache.org | |
| Oracle Critical Patch Update Advisory - January 2022 | MISC | www.oracle.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29... | lists.apache.org | ||
| [SECURITY] [DLA 2688-1] jetty9 security update | MLIST | lists.debian.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-users] 20210617 vulnerabilities | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| [kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41 | lists.apache.org | ||
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| Pony Mail! | MLIST | lists.apache.org | |
| [zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42 | lists.apache.org | ||
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178675 Debian Security Update for jetty9 (DLA 2688-1)
- 179713 Debian Security Update for jetty9 (CVE-2021-28169)
- 239697 Red Hat Update for OpenShift Container Platform 4.9.0 packages and (RHSA-2021:3758)
- 730265 Eclipse Jetty Multiple Security Vulnerabilities (Bug 573389,574146)
- 750663 SUSE Enterprise Linux Security Update for jetty-minimal (SUSE-SU-2021:2005-1)
- 750781 OpenSUSE Security Update for jetty-minimal (openSUSE-SU-2021:2005-1)
- 770083 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2021:3758)
- 770107 Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2021-3758)
- 980355 Java (maven) Security Update for org.eclipse.jetty:jetty-servlets (GHSA-gwcr-j4wh-j3cq)