Information Disclosure Vulnerability in Jetty by Eclipse
CVE-2021-28164

5.3MEDIUM

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Jetty
Vendor
CVE Published:
1 April 2021

Badges

👾 Exploit Exists🟣 EPSS 93%

What is CVE-2021-28164?

Eclipse Jetty versions 9.4.37.v20210219 to 9.4.38.v20210224 contain a vulnerability where default compliance mode permits URI requests that include '%2e' or '%2e%2e' segments. This flaw enables unauthorized access to protected resources, particularly files located within the WEB-INF directory, such as web.xml. This exposure can lead to the leakage of sensitive implementation details of web applications, posing a significant risk to security.

Affected Version(s)

Eclipse Jetty 9.4.37.v20210219

Eclipse Jetty <= 9.4.38.v20210224

References

https://github.com/eclipse/jetty.project/security/advisor...
x_refsource_CONFIRM
https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4...
mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e...
mailing-listx_refsource_MLIST

EPSS Score

93% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.