In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
No history.
Information
Published : 2021-04-01 15:15
Updated : 2024-11-21 05:59
NVD link : CVE-2021-28164
Mitre link : CVE-2021-28164
CVE.ORG link : CVE-2021-28164
JSON object : View
Products Affected
oracle
- autovue_for_agile_product_lifecycle_management
- communications_session_route_manager
- banking_apis
- siebel_core_-_automation
- banking_digital_experience
netapp
- e-series_santricity_os_controller
- e-series_performance_analyzer
- snapcenter_plug-in
- vasa_provider_for_clustered_data_ontap
- virtual_storage_console
- e-series_santricity_web_services
- santricity_cloud_connector
- cloud_manager
- snapcenter
- storage_replication_adapter_for_clustered_data_ontap
- element_plug-in_for_vcenter_server
eclipse
- jetty
CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
NVD-CWE-Other