CVE-2021-34429

Exploit

EPSS 93.8%
Published 15.07.2021 17:15:08
Last modified 21.11.2024 06:10:23
Source emo@eclipse.org
Teams watchlist Login
Open Login

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Affected products Warnungen 0 Metrics 4 CWE 2 References 41

Data is provided by the National Vulnerability Database (NVD)

Eclipse ≫ Jetty Version >= 9.4.37 < 9.4.43

Eclipse ≫ Jetty Version >= 10.0.1 < 10.0.6

Eclipse ≫ Jetty Version >= 11.0.1 < 11.0.6

Netapp ≫ E-series Santricity Os Controller Version >= 11.0 <= 11.70.1

Netapp ≫ E-series Santricity Web Services Version- SwPlatformweb_services_proxy

Netapp ≫ Element Plug-in For Vcenter Server Version-

Netapp ≫ Hci Management Node Version-

Netapp ≫ Snap Creator Framework Version-

Netapp ≫ Snapcenter Plug-in Version- SwPlatformvmware_vsphere

Netapp ≫ Solidfire Version-

Oracle ≫ Autovue For Agile Product Lifecycle Management Version21.0.2

Oracle ≫ Communications Cloud Native Core Binding Support Function Version1.10.0

Oracle ≫ Communications Cloud Native Core Security Edge Protection Proxy Version1.5.0

Oracle ≫ Communications Cloud Native Core Service Communication Proxy Version1.14.0

Oracle ≫ Communications Cloud Native Core Unified Data Repository Version1.14.0

Oracle ≫ Communications Diameter Signaling Router Version >= 8.0.0.0 <= 8.5.0.2

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.2.0

Oracle ≫ Financial Services Crime And Compliance Management Studio Version8.0.8.3.0

Oracle ≫ Rest Data Services SwEdition- Version < 22.1.1

Oracle ≫ Retail Eftlink Version20.0.1

Oracle ≫ Stream Analytics Version < 19.1.0.0.6.4

Oracle ≫ Stream Analytics Version19c

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	93.8%	0.999

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:P/I:N/A:N
emo@eclipse.org	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

https://www.oracle.com/security-alerts/cpuapr2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Patch

Third Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Patch

Third Party Advisory

https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E

https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E