Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-34429

CWE-200 — Information Exposure CWE-551 CWE-863 — Incorrect Authorization18 documents12 sources

Severity

5.3MEDIUM

EPSS

93.8%

top 0.14%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

THE Eclipse Foundation Eclipse Jetty Eclipse Jetty Oracle Rest Data Services +10 more

Timeline

PublishedJul 15

Latest updateJul 15

Description

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages15 packages

▶NVDeclipse/jetty9.4.37 — 9.4.43+2

▶Mavenorg.eclipse.jetty:jetty-webapp9.4.37 — 9.4.43+2

▶CVEListV5the_eclipse_foundation/eclipse_jetty9.4.37 — unspecified+5

▶Debianjetty9< 9.4.39-3+3

▶NVDoracle/communications_cloud_native_core_security_edge_protection_proxy1.5.0

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

OSV

Encoded URIs can access WEB-INF directory in Eclipse Jetty↗2021-07-19

▶

GHSA

Encoded URIs can access WEB-INF directory in Eclipse Jetty↗2021-07-19

▶

OSV

CVE-2021-34429: For Eclipse Jetty versions 9↗2021-07-15

▶

CVEList

CVE-2021-34429: For Eclipse Jetty versions 9↗2021-07-15

▶

VulnCheck

Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5 Security Bypass↗2021

▶

💥Exploits & PoCs

Exploit-DB

Eclipse Jetty 11.0.5 - Sensitive File Disclosure↗2021-11-03

▶

Nuclei

Eclipse Jetty - Information Disclosure

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Attempt Inbound (CVE-2021-34429)↗2021-07-27

▶

Suricata

ET WEB_SPECIFIC_APPS Jetty WEB-INF Information Leak Successful Exploitation (CVE-2021-34429)↗2021-07-27

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Runtime Engine (Apache ZooKeeper) — CVE-2021-34429↗2023-07-15

▶

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Runtime Java agent for ODI (Eclipse Jetty) — CVE-2021-34429↗2022-10-15

▶

Oracle

Oracle Oracle GoldenGate Risk Matrix: Oracle Stream Analytics (Eclipse Jetty) — CVE-2021-34429↗2022-07-15

▶

Oracle

Oracle Oracle Retail Applications Risk Matrix: Framework (Eclipse Jetty) — CVE-2021-34429↗2022-04-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: Binding Support Function (Eclipse Jetty) — CVE-2021-34429↗2022-01-15

▶

💬Community

HackerOne

web.xml configuration file disclosure↗2021-04-16

▶