Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-8384

Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
14/07/2026
Última modificación:
14/07/2026

Descripción

*** Pendiente de traducción *** In Eclipse Jetty, an HTTP URI of this form:<br /> <br /> <br /> <br /> <br /> <br /> /public;/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> results in an unresolved path of:<br /> <br /> <br /> <br /> <br /> <br /> /public/../admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> instead of the expected:<br /> <br /> <br /> <br /> <br /> <br /> /admin/secret.txt<br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> <br /> Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).<br /> <br /> <br /> <br /> <br /> However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

Referencias a soluciones, herramientas e información