Vulnerability CVE-2021-28164

Vulnerability Name:

CVE-2021-28164 (CCN-199304)

Assigned:

2021-04-01

Published:

2021-04-01

Updated:

2022-07-14

Summary:

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.38:20210224:*:*:*:*:*:*

Configuration 2:

cpe:/a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*

OR cpe:/a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6

OR cpe:/a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* (Version >= 9.6

OR cpe:/a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* (Version >= 9.6

OR cpe:/a:netapp:cloud_manager:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*

OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.70.1)

OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:* (Version <= 21.9)

OR cpe:/a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.2.4)

OR cpe:/a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_apis:20.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:banking_apis:21.1:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:9.4.38:20210224:*:*:*:*:*:*

AND

cpe:/a:ibm:cognos_analytics:11.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_analytics:11.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*

OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8024	P	jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:95293	P	Security update for java-17-openjdk (Important)	2022-08-03
oval:org.opensuse.security:def:3395	P	vsftpd-3.0.2-40.11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94894	P	evince-41.3-150400.1.11 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95025	P	jetty-http-9.4.43-3.12.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:6065	P	Security update for gcc48 (Moderate)	2022-06-08
oval:org.opensuse.security:def:102006	P	Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (Critical)	2022-02-16
oval:org.opensuse.security:def:101607	P	Security update for qemu (Low)	2022-01-25
oval:org.opensuse.security:def:112474	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:105971	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:4485	P	Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) (Important)	2021-09-16
oval:org.opensuse.security:def:111590	P	Security update for jetty-minimal (Important)	2021-07-11
oval:org.opensuse.security:def:65574	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:4555	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:97080	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:117787	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:74712	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:108273	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:101782	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:65644	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:5745	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:75902	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:108672	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:66834	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:76222	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:67154	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:74642	P	Security update for jetty-minimal (Important)	2021-06-17

BACK