|
|
|||
| Rule General Information |
|---|
| Release Date: | 2021-11-17 | |
| Rule Name: | Eclipse Jetty WEB-INF Information Leak Vulnerability (CVE-2021-28164) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. | |
| Impact: | An attacker could exploit this vulnerability to have unspecified effect. | |
| Affected OS: | Windows, Linux, Others | |
| Reference: | http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E |
|
| Solutions |
|---|
| The vendor has released upgrade patches to fix vulnerabilities, please visit: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w |