Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.11.v20180605/20c35f5336befe35b0bd5c4a63e07170fe7872d7/jetty-http-9.4.11.v20180605.jar
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/9.4.11.v20180605/8301f94a8b8e4a8ed7c065984b18c02c4206b920/jetty-servlets-9.4.11.v20180605.jar
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28169 - Medium Severity Vulnerability
jetty-http-9.4.11.v20180605.jar
The Eclipse Jetty Project
Library home page: https://webtide.com
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.11.v20180605/20c35f5336befe35b0bd5c4a63e07170fe7872d7/jetty-http-9.4.11.v20180605.jar
Dependency Hierarchy: - jetty-servlets-9.4.11.v20180605.jar (Root Library) - :x: **jetty-http-9.4.11.v20180605.jar** (Vulnerable Library)
jetty-servlets-9.4.11.v20180605.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/9.4.11.v20180605/8301f94a8b8e4a8ed7c065984b18c02c4206b920/jetty-servlets-9.4.11.v20180605.jar
Dependency Hierarchy: - :x: **jetty-servlets-9.4.11.v20180605.jar** (Vulnerable Library)
jetty-server-9.4.11.v20180605.jar
The core jetty server artifact.
Library home page: https://webtide.com
Path to dependency file: /build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.11.v20180605/58353c2f27515b007fc83ae22002feb34fc24714/jetty-server-9.4.11.v20180605.jar
Dependency Hierarchy: - :x: **jetty-server-9.4.11.v20180605.jar** (Vulnerable Library)
Found in HEAD commit: 722089816e5192b667c19cb836256ef6da8be1ac
Found in base branch: master
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.41.v20210516
Direct dependency fix Resolution (org.eclipse.jetty:jetty-servlets): 9.4.41.v20210516
Step up your Open Source Security Game with Mend here