Vulnerability CVE-2021-34429

Vulnerability Name:

CVE-2021-34429 (CCN-205596)

Assigned:

2021-07-15

Published:

2021-07-15

Updated:

2022-10-27

Summary:

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

CVSS v3 Severity:

5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Obtain Information

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 11.0.1 and < 11.0.6)

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 10.0.1 and < 10.0.6)

OR cpe:/a:eclipse:jetty:*:*:*:*:*:*:*:* (Version >= 9.4.37 and < 9.4.43)

Configuration 2:

cpe:/a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:solidfire:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:hci_management_node:-:*:*:*:*:*:*:*

OR cpe:/a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*

OR cpe:/a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*

OR cpe:/a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* (Version >= 11.0 and <= 11.70.1)

OR cpe:/a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*

OR cpe:/a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.5.0.2)

OR cpe:/a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:rest_data_services:*:*:*:*:-:*:*:* (Version < 22.1.1)

OR cpe:/a:oracle:stream_analytics:*:*:*:*:*:*:*:* (Version < 19.1.0.0.6.4)

OR cpe:/a:oracle:stream_analytics:19c:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:eclipse:jetty:9.4.42:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:10.0.5:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.1:*:*:*:*:*:*:*

OR cpe:/a:eclipse:jetty:11.0.5:*:*:*:*:*:*:*

AND

cpe:/a:ibm:infosphere_information_server:11.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:3.4.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:2.4.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_functional_tester:9.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq:9.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:mq:9.1.0:*:*:*:continuous_delivery:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4:-:*:*:*:*:*:*

OR cpe:/a:ibm:rational_service_tester:9.5:*:*:*:soa_quality:*:*:*

OR cpe:/a:ibm:mq:9.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.1.1.0:*:*:*:standard:*:*:*

OR cpe:/a:ibm:sterling_secure_proxy:6.0.3.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8024	P	jetty-http-9.4.48-150200.3.16.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:95369	P	Security update for php7 (Important)	2022-07-06
oval:org.opensuse.security:def:3395	P	vsftpd-3.0.2-40.11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:95025	P	jetty-http-9.4.43-3.12.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94912	P	gtk2-data-2.24.33-150400.2.11 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:101625	P	Security update for java-11-openjdk (Important) (in QA)	2022-04-21
oval:org.opensuse.security:def:4573	P	Security update for the Linux Kernel (Important)	2022-04-14
oval:org.opensuse.security:def:102082	P	Security update for SDL2 (Important)	2022-01-18
oval:org.opensuse.security:def:112474	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:6154	P	Security update for net-snmp (Important)	2022-01-05
oval:org.opensuse.security:def:4503	P	Security update for the Linux Kernel (Live Patch 14 for SLE 12 SP5) (Important)	2021-10-14
oval:org.opensuse.security:def:105971	P	jetty-annotations-9.4.43-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:101800	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:65662	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:5821	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:117805	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:75978	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:108748	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:1122	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:66910	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:111690	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:76311	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:67243	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:74660	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:65592	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:74730	P	Security update for jetty-minimal (Moderate)	2021-08-25
oval:org.opensuse.security:def:108291	P	Security update for jetty-minimal (Moderate)	2021-08-25

BACK