CVE-2021-28164

Exploit

EPSS 93.52%
Published 01.04.2021 15:15:14
Last modified 21.11.2024 05:59:13
Source emo@eclipse.org
Teams watchlist Login
Open Login

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Affected products Warnungen 0 Metrics 4 CWE 2 References 28

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version9.4.37 Update20210219

Eclipse ≫ Jetty Version9.4.38 Update20210224

Netapp ≫ Cloud Manager Version-

Netapp ≫ E-series Performance Analyzer Version-

Netapp ≫ E-series Santricity Os Controller Version >= 11.0 <= 11.70.1

Netapp ≫ E-series Santricity Web Services Version- SwPlatformweb_services_proxy

Netapp ≫ Element Plug-in For Vcenter Server Version-

Netapp ≫ Santricity Cloud Connector Version-

Netapp ≫ Snapcenter Version-

Netapp ≫ Snapcenter Plug-in Version- SwPlatformvmware_vsphere

Netapp ≫ Storage Replication Adapter For Clustered Data Ontap SwPlatformvmware_vsphere Version >= 9.6

Netapp ≫ Vasa Provider For Clustered Data Ontap Version >= 9.6

Netapp ≫ Virtual Storage Console SwPlatformvmware_vsphere Version >= 9.6

Oracle ≫ Autovue For Agile Product Lifecycle Management Version21.0.2

Oracle ≫ Banking Apis Version20.1

Oracle ≫ Banking Apis Version21.1

Oracle ≫ Banking Digital Experience Version20.1

Oracle ≫ Banking Digital Experience Version21.1

Oracle ≫ Communications Session Route Manager Version >= 8.0.0 <= 8.2.4

Oracle ≫ Siebel Core - Automation Version <= 21.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.52%	0.998

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
emo@eclipse.org	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

https://www.oracle.com/security-alerts/cpuapr2022.html

Third Party Advisory

Not Applicable

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E

https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E