In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:32
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2021-04-01 15:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-28164
Mitre link : CVE-2021-28164
CVE.ORG link : CVE-2021-28164
JSON object : View
Products Affected
netapp
- snapcenter
- snapcenter_plug-in
- vasa_provider_for_clustered_data_ontap
- santricity_cloud_connector
- element_plug-in_for_vcenter_server
- virtual_storage_console
- cloud_manager
- e-series_santricity_web_services
- e-series_performance_analyzer
- storage_replication_adapter_for_clustered_data_ontap
- e-series_santricity_os_controller
eclipse
- jetty
oracle
- siebel_core_-_automation
- banking_digital_experience
- banking_apis
- communications_session_route_manager
- autovue_for_agile_product_lifecycle_management
CWE
NVD-CWE-Other
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-551Incorrect Behavior Order: Authorization Before Parsing and Canonicalization