Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-28169

CWE-200 — Information Exposure11 documents10 sources

Severity

5.3MEDIUM

EPSS

90.3%

top 0.40%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Eclipse Jetty Oracle Rest Data Services THE Eclipse Foundation Eclipse Jetty +2 more

Timeline

PublishedJun 9

Latest updateAug 19

Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages6 packages

▶NVDeclipse/jetty10.0.0 — 10.0.3+2

▶Mavenorg.eclipse.jetty:jetty-servlets10.0.0 — 10.0.3+2

▶CVEListV5the_eclipse_foundation/eclipse_jettyunspecified — 9.4.40+2

▶Debianjetty9< 9.4.39-2+3

▶NVDoracle/rest_data_services< 21.3

Also affects: Debian Linux 10.0, 9.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability↗2021-06-10

▶

GHSA

Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability↗2021-06-10

▶

OSV

CVE-2021-28169: For Eclipse Jetty versions <= 9↗2021-06-09

▶

CVEList

CVE-2021-28169: For Eclipse Jetty versions <= 9↗2021-06-09

▶

VulnCheck

Eclipse Jetty ConcatServlet Vulnerability↗2021

▶

💥Exploits & PoCs

Nuclei

Eclipse Jetty ConcatServlet - Information Disclosure

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Policy (Eclipse Jetty) — CVE-2021-28169↗2022-04-15

▶

Red Hat

jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory↗2021-06-08

▶

Debian

CVE-2021-28169: jetty9 - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r...↗2021

▶

🕵️Threat Intelligence

Unit42

Network Security Trends: Recent Exploits Observed in the Wild Include Remote Code Execution, Cross-Site Scripting and More↗2022-08-19

▶