QID 730265
Date Published: 2021-11-22
QID 730265: Eclipse Jetty Multiple Security Vulnerabilities (Bug 573389,574146)
Eclipse Jetty is a Java HTTP server and Java Servlet container. While Web Servers are usually associated with serving documents to people, Jetty is now often used for machine to machine communications, usually within larger software frameworks.
CVE-2021-28169: ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory.This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-34428: On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.
Versions Affected:
Jetty versions prior to 9.4.41
Jetty versions from 10.0.0 to 10.0.2
Jetty versions from 11.0.0 to 11.0.2
QID Detection Logic:(Unauthenticated)
It looks at http banner to check for vulnerable version of Jetty
Successful exploitation of these vulnerabilities may allow an attacker to reveal sensitive information regarding the implementation of a web application.
Customers are advised to refer to Bug 573389 and Bug 574146 for more information.
- Bug 573389 -
bugs.eclipse.org/bugs/show_bug.cgi?id=573389 - Bug 574146 -
bugs.eclipse.org/bugs/show_bug.cgi?id=574146
CVEs related to QID 730265
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Bug 573389 |
bugs.eclipse.org/bugs/show_bug.cgi?id=573389 |
||
| Bug 574146 |
bugs.eclipse.org/bugs/show_bug.cgi?id=574146 |