https://bugzilla.redhat.com/show_bug.cgi?id=1945712
Bug ID: 1945712
Summary: CVE-2021-28164 jetty: Ambiguous paths can access
WEB-INF
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, ataylor(a)redhat.com,
bibryam(a)redhat.com, bmontgom(a)redhat.com,
chazlett(a)redhat.com, dbecker(a)redhat.com,
drieden(a)redhat.com,
eclipse-sig(a)lists.fedoraproject.org,
eparis(a)redhat.com, eric.wittmann(a)redhat.com,
etirelli(a)redhat.com, ggaughan(a)redhat.com,
gmalinko(a)redhat.com, hbraun(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-maint(a)redhat.com, jburrell(a)redhat.com,
jjohnstn(a)redhat.com, jjoyce(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jross(a)redhat.com, jschluet(a)redhat.com,
jstastny(a)redhat.com, jwon(a)redhat.com,
krathod(a)redhat.com, krzysztof.daniel(a)gmail.com,
kverlaen(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
mat.booth(a)gmail.com, mburns(a)redhat.com,
mizdebsk(a)redhat.com, mkolesni(a)redhat.com,
mnovotny(a)redhat.com, nstielau(a)redhat.com,
pantinor(a)redhat.com, pjindal(a)redhat.com,
rrajasek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, slinaber(a)redhat.com,
sochotni(a)redhat.com, sponnaga(a)redhat.com,
swoodman(a)redhat.com, tzimanyi(a)redhat.com
Target Milestone: ---
Classification: Other
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance
mode allows requests with URIs that contain %2e or %2e%2e segments to access
protected resources within the WEB-INF directory. For example a request to
/context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal
sensitive information regarding the implementation of a web application.
References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8w...
--
You are receiving this mail because:
You are on the CC list for the bug.