mend-bolt-for-github[bot]
commented
4 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Utility Servlets from Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/examples/embedded/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-28169
### Vulnerable Library - jetty-servlets-9.4.31.v20200723.jarUtility Servlets from Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/examples/embedded/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar
Dependency Hierarchy: - :x: **jetty-servlets-9.4.31.v20200723.jar** (Vulnerable Library)
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: 9.4.41.v20210516
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-36479
### Vulnerable Library - jetty-servlets-9.4.31.v20200723.jarUtility Servlets from Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/examples/embedded/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.31.v20200723/jetty-servlets-9.4.31.v20200723.jar
Dependency Hierarchy: - :x: **jetty-servlets-9.4.31.v20200723.jar** (Vulnerable Library)
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
### Vulnerability DetailsEclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Publish Date: 2023-09-15
URL: CVE-2023-36479
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-3gh6-v5v9-6v9j
Release Date: 2023-09-15
Fix Resolution: 9.4.52.v20230823
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)