Vulnerability Name:

CVE-2021-28169 (CCN-203492)

Assigned:2021-06-08
Published:2021-06-08
Updated:2022-10-25
Summary:For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-28169

Source: XF
Type: UNKNOWN
eclipse-cve202128169-info-disc(203492)

Source: CCN
Type: Jetty GIT Repository
Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability

Source: CONFIRM
Type: Third Party Advisory
https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-users] 20210617 vulnerabilities

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41

Source: MISC
Type: Mailing List, Third Party Advisory
https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210727-0009/

Source: DEBIAN
Type: Third Party Advisory
DSA-4949

Source: CCN
Type: IBM Security Bulletin 6520472 (QRadar SIEM)
IBM QRadar SIEM is vulnerable to using components with know vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6527232 (MQ)
IBM MQ is vulnerable to multiple Jetty vulnerabilities (CVE-2021-34428, CVE-2021-34429, CVE-2021-28169)

Source: CCN
Type: IBM Security Bulletin 6567139 (Rational Functional Tester)
An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Source: CCN
Type: IBM Security Bulletin 6574041 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining (Multiple CVEs)

Source: CCN
Type: IBM Security Bulletin 6574049 (Process Mining)
Vulnerability in Eclipse Jetty affects IBM Process Mining (CVE-2020-27223,CVE-2021-28169)

Source: CCN
Type: IBM Security Bulletin 6584093 (MQ)
IBM MQ is vulnerable to multiple Eclipse Jetty issues

Source: CCN
Type: IBM Security Bulletin 6591193 (Sterling Connect:Direct Web Services)
IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6592799 (MaaS360 Mobile Enterprise Gateway)
IBM MaaS360 Mobile Enterprise Gateway uses Eclipse Jetty with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6597281 (Sterling Connect:Direct Browser User Interface)
IBM Sterling Connect:Direct Browser User Interface is vulnerable to multiple vulnerabilities due to Jetty

Source: CCN
Type: IBM Security Bulletin 6601919 (Tivoli Network Manager)
IBM Tivoli Network Manager is vulnerable to information disclosure attacks due to vulnerabilities in Eclipse Jetty (CVE-2021-28169)

Source: CCN
Type: IBM Security Bulletin 6606205 (Tivoli Netcool Manager)
There are multiple security vulnerabilities in Apache Storm used by IBM Tivoli Netcool Manager.

Source: CCN
Type: IBM Security Bulletin 6608622 (Rational Performance Tester)
Vulnerabilities in Eclipse Jetty affect Rational Performance Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6608624 (Rational Service Tester)
Vulnerabilities in Eclipse Jetty affect Rational Service Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165)

Source: CCN
Type: IBM Security Bulletin 6614725 (QRadar SIEM)
IBM QRadar SIEM includes components with multiple known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6825513 (Rational Change)
Multiple Vulnerabilities in Rational Change Fix Pack 04 for 5.3.2

Source: CCN
Type: IBM Security Bulletin 6825515 (Rational Synergy)
Multiple Vulnerabilities in Rational Synergy 7.2.2.4

Source: CCN
Type: IBM Security Bulletin 6829321 (InfoSphere Information Server)
Multiple vulnerabilities in Eclipse Jetty affect IBM InfoSphere Information Server

Source: CCN
Type: IBM Security Bulletin 6829867 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6830869 (Enterprise Records)
Vulnerability found in Eclipse Jetty may affect IBM Enterprise Records

Source: CCN
Type: IBM Security Bulletin 6848225 (Netcool Operations Insight)
Netcool Operations Insight v1.6.7 contains fixes for multiple security vulnerabilities.

Source: CCN
Type: IBM Security Bulletin 6854577 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Source: CCN
Type: IBM Security Bulletin 6983274 (Cognos Command Center)
IBM Cognos Command Center is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 7001793 (App Connect Enterprise Toolkit)
Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit

Source: CCN
Type: IBM Security Bulletin 7005945 (Storage Protect)
IBM Storage Protect Server is vulnerable to various attacks due to Eclipse jetty

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version < 9.4.41)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.0.3)
  • OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.0 and < 11.0.3)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/a:oracle:rest_data_services:*:*:*:*:-:*:*:* (Version < 21.3)
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:hci:-:*:*:*:*:*:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*
  • OR cpe:/a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
  • OR cpe:/a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:eclipse:jetty:9.4.40:*:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:10.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:eclipse:jetty:11.0.2:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_command_center:10.2.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*
  • OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*
  • OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*
  • OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8024
    P
    		jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:95293
    P
    		Security update for java-17-openjdk (Important)
    2022-08-03
    oval:org.opensuse.security:def:3395
    P
    		vsftpd-3.0.2-40.11.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94894
    P
    		evince-41.3-150400.1.11 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95025
    P
    		jetty-http-9.4.43-3.12.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:6065
    P
    		Security update for gcc48 (Moderate)
    2022-06-08
    oval:org.opensuse.security:def:102006
    P
    		Security update for the Linux Kernel (Live Patch 12 for SLE 15 SP3) (Critical)
    2022-02-16
    oval:org.opensuse.security:def:101607
    P
    		Security update for qemu (Low)
    2022-01-25
    oval:org.opensuse.security:def:112474
    P
    		jetty-annotations-9.4.43-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:105971
    P
    		jetty-annotations-9.4.43-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:4485
    P
    		Security update for the Linux Kernel (Live Patch 15 for SLE 12 SP5) (Important)
    2021-09-16
    oval:org.opensuse.security:def:111590
    P
    		Security update for jetty-minimal (Important)
    2021-07-11
    oval:org.opensuse.security:def:65574
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:4555
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:97080
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:117787
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:74712
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:108273
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:101782
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:65644
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:5745
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:75902
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:108672
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:66834
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:76222
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:67154
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    oval:org.opensuse.security:def:74642
    P
    		Security update for jetty-minimal (Important)
    2021-06-17
    BACK
    eclipse jetty *
    eclipse jetty *
    eclipse jetty *
    debian debian linux 9.0
    debian debian linux 10.0
    oracle rest data services *
    oracle communications cloud native core policy 1.14.0
    netapp snap creator framework -
    netapp hci -
    netapp active iq unified manager -
    netapp active iq unified manager -
    netapp management services for element software -
    eclipse jetty 9.4.40
    eclipse jetty 10.0.2
    eclipse jetty 11.0.2
    ibm infosphere information server 11.7
    ibm qradar security information and event manager 7.3
    ibm sterling b2b integrator 6.0.0.0
    ibm cognos command center 10.2.4.1
    ibm rational functional tester 9.5
    ibm mq 9.0.0
    ibm mq 9.1.0
    ibm qradar security information and event manager 7.4 -
    ibm rational service tester 9.5
    ibm mq 9.2.0
    ibm sterling b2b integrator 6.1.0.0
    ibm sterling b2b integrator 6.1.1.0
    ibm security verify governance 10.0