VYPR
Moderate severityNVD Advisory· Published Jun 9, 2021· Updated Aug 3, 2024

CVE-2021-28169

CVE-2021-28169

Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.eclipse.jetty:jetty-servletsMaven
< 9.4.419.4.41
org.eclipse.jetty:jetty-servletsMaven
>= 10.0.0, < 10.0.310.0.3
org.eclipse.jetty:jetty-servletsMaven
>= 11.0.0, < 11.0.311.0.3

Affected products

6

Patches

Vulnerability mechanics

References

44

News mentions

0

No linked articles in our index yet.