CVE-2021-28164

Published Apr 1, 2021

Last updated a year ago

Overview

Description: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Source: emo@eclipse.org
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 3.1

Type: Primary
Base score: 5.3
Impact score: 1.4
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Severity: MEDIUM

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: NVD-CWE-Other
emo@eclipse.org: CWE-200

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "E55D7BBC-875B-4AF6-8298-AE3DE6A4EBEF"
          },
          {
            "criteria": "cpe:2.3:a:eclipse:jetty:9.4.38:20210224:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4F8A8973-E774-4C85-8EA7-A98C5B77E2DA"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "197D0D80-6702-4B61-B681-AFDBA7D69067"
          },
          {
            "criteria": "cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "24B8DB06-590A-4008-B0AB-FCD1401C77C6"
          },
          {
            "criteria": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "73F81EC3-4AB0-4CD7-B845-267C5974DE98",
            "versionEndIncluding": "11.70.1",
            "versionStartIncluding": "11.0"
          },
          {
            "criteria": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1AEFF829-A8F2-4041-8DDF-E705DB3ADED2"
          },
          {
            "criteria": "cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "214712B6-59AF-4B5E-84BF-AF3C74A390EA"
          },
          {
            "criteria": "cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "AB15BCF1-1B1D-49D8-9B76-46DCB10044DB"
          },
          {
            "criteria": "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BDFB1169-41A0-4A86-8E4F-FDA9730B1E94"
          },
          {
            "criteria": "cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*",
            "vulnerable": true,
            "matchCriteriaId": "DC01D8F3-291A-44E5-99C1-6771F6656E0E"
          },
          {
            "criteria": "cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_data_ontap:*:*:*:*:*:vmware_vsphere:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D5D73B53-9750-4844-A767-21F8A0CEE0B3",
            "versionStartIncluding": "9.6"
          },
          {
            "criteria": "cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0C0FF89C-3DC1-4FF4-9447-128028EEA80B",
            "versionStartIncluding": "9.6"
          },
          {
            "criteria": "cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vsphere:*:*",
            "vulnerable": true,
            "matchCriteriaId": "FF852A4C-7818-408D-A46B-2F4EE1AB8895",
            "versionStartIncluding": "9.6"
          }
        ],
        "operator": "OR"
      }
    ]
  },
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "97994257-C9A4-4491-B362-E8B25B7187AB"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "7CBFC93F-8B39-45A2-981C-59B187169BD4"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0843465C-F940-4FFC-998D-9A2668B75EA0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "33F68878-BC19-4DB8-8A72-BD9FE3D0ACEC"
          },
          {
            "criteria": "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0D6895A6-511A-4DC6-9F9B-58E05B86BDB1"
          },
          {
            "criteria": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "1FDBAD8E-C926-4D6F-9FD2-B0428980D6DF",
            "versionEndIncluding": "8.2.4",
            "versionStartIncluding": "8.0.0"
          },
          {
            "criteria": "cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BEAB4771-C33C-4151-AEAE-A6D2C892C3C8",
            "versionEndIncluding": "21.9"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Social media

Risk scores

CVSS 3.1

CVSS 2.0

Weaknesses

Configurations

References