CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
78.9%
Issue Overview:
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. (CVE-2021-28169)
Affected Packages:
jetty
Note:
This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update jetty to update your system.
New Packages:
noarch:
jetty-project-9.0.3-8.amzn2.0.1.noarch
jetty-annotations-9.0.3-8.amzn2.0.1.noarch
jetty-ant-9.0.3-8.amzn2.0.1.noarch
jetty-client-9.0.3-8.amzn2.0.1.noarch
jetty-continuation-9.0.3-8.amzn2.0.1.noarch
jetty-deploy-9.0.3-8.amzn2.0.1.noarch
jetty-http-9.0.3-8.amzn2.0.1.noarch
jetty-io-9.0.3-8.amzn2.0.1.noarch
jetty-jaas-9.0.3-8.amzn2.0.1.noarch
jetty-jaspi-9.0.3-8.amzn2.0.1.noarch
jetty-jmx-9.0.3-8.amzn2.0.1.noarch
jetty-jndi-9.0.3-8.amzn2.0.1.noarch
jetty-jsp-9.0.3-8.amzn2.0.1.noarch
jetty-jspc-maven-plugin-9.0.3-8.amzn2.0.1.noarch
jetty-maven-plugin-9.0.3-8.amzn2.0.1.noarch
jetty-monitor-9.0.3-8.amzn2.0.1.noarch
jetty-plus-9.0.3-8.amzn2.0.1.noarch
jetty-proxy-9.0.3-8.amzn2.0.1.noarch
jetty-rewrite-9.0.3-8.amzn2.0.1.noarch
jetty-runner-9.0.3-8.amzn2.0.1.noarch
jetty-security-9.0.3-8.amzn2.0.1.noarch
jetty-server-9.0.3-8.amzn2.0.1.noarch
jetty-servlet-9.0.3-8.amzn2.0.1.noarch
jetty-servlets-9.0.3-8.amzn2.0.1.noarch
jetty-start-9.0.3-8.amzn2.0.1.noarch
jetty-util-9.0.3-8.amzn2.0.1.noarch
jetty-util-ajax-9.0.3-8.amzn2.0.1.noarch
jetty-webapp-9.0.3-8.amzn2.0.1.noarch
jetty-xml-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-api-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-client-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-common-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-parent-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-server-9.0.3-8.amzn2.0.1.noarch
jetty-websocket-servlet-9.0.3-8.amzn2.0.1.noarch
jetty-javadoc-9.0.3-8.amzn2.0.1.noarch
src:
jetty-9.0.3-8.amzn2.0.1.src
Red Hat: CVE-2021-28169
Mitre: CVE-2021-28169
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 2 | noarch | jetty-project | < 9.0.3-8.amzn2.0.1 | jetty-project-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-annotations | < 9.0.3-8.amzn2.0.1 | jetty-annotations-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-ant | < 9.0.3-8.amzn2.0.1 | jetty-ant-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-client | < 9.0.3-8.amzn2.0.1 | jetty-client-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-continuation | < 9.0.3-8.amzn2.0.1 | jetty-continuation-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-deploy | < 9.0.3-8.amzn2.0.1 | jetty-deploy-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-http | < 9.0.3-8.amzn2.0.1 | jetty-http-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-io | < 9.0.3-8.amzn2.0.1 | jetty-io-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-jaas | < 9.0.3-8.amzn2.0.1 | jetty-jaas-9.0.3-8.amzn2.0.1.noarch.rpm |
Amazon Linux | 2 | noarch | jetty-jaspi | < 9.0.3-8.amzn2.0.1 | jetty-jaspi-9.0.3-8.amzn2.0.1.noarch.rpm |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
78.9%