Maven package
org.eclipse.jetty/jetty-webapp
pkg:maven/org.eclipse.jetty/jetty-webapp
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-34429 | — | >= 9.4.37, < 9.4.43 | 9.4.43 | Jul 15, 2021 | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G | ||
| CVE-2021-28164 | — | >= 9.4.37, < 9.4.39 | 9.4.39 | Apr 1, 2021 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web. | ||
| CVE-2020-27216 | — | < 9.4.33.v20201020 | 9.4.33.v20201020 | Oct 23, 2020 | In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a t |
- CVE-2021-34429Jul 15, 2021affected >= 9.4.37, < 9.4.43fixed 9.4.43
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G
- CVE-2021-28164Apr 1, 2021affected >= 9.4.37, < 9.4.39fixed 9.4.39
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.
- CVE-2020-27216Oct 23, 2020affected < 9.4.33.v20201020fixed 9.4.33.v20201020
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a t