For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
History
07 Nov 2023, 03:32
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2021-06-09 02:15
Updated : 2024-02-28 18:28
NVD link : CVE-2021-28169
Mitre link : CVE-2021-28169
CVE.ORG link : CVE-2021-28169
JSON object : View
Products Affected
oracle
- rest_data_services
- communications_cloud_native_core_policy
netapp
- active_iq_unified_manager
- management_services_for_element_software
- snap_creator_framework
- hci
eclipse
- jetty
debian
- debian_linux
CWE