CVE-2021-28164

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
01/04/2021
Last modified:
07/11/2023

Description

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*
cpe:2.3:a:eclipse:jetty:9.4.38:20210224:*:*:*:*:*:*
cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* 11.0 (including) 11.70.1 (including)
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:* 9.6 (including)
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:* 9.6 (including)
cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:* 9.6 (including)
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*


References to Advisories, Solutions, and Tools