CVE-2021-34429 (Medium) detected in jetty-webapp-9.4.41.v20210516.jar

[mend-bolt-for-github[bot]]

CVE-2021-34429 - Medium Severity Vulnerability

Vulnerable Library - jetty-webapp-9.4.41.v20210516.jar

Jetty web application support

Library home page: https://eclipse.org/jetty

Path to dependency file: moqui-framework/framework/build.gradle

Path to vulnerable library: canner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-webapp/9.4.41.v20210516/e9dfb34715ab48f5175fd6ab96f67ff6c299e6fb/jetty-webapp-9.4.41.v20210516.jar

Dependency Hierarchy: - :x: **jetty-webapp-9.4.41.v20210516.jar** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Publish Date: 2021-07-15

URL: CVE-2021-34429

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

Release Date: 2021-07-15

Fix Resolution: org.eclipse.jetty:jetty-webapp:9.4.43,10.0.6,11.0.6

---

Step up your Open Source Security Game with WhiteSource here

[jonesde]

Jetty updated in commit f5c7f5e