Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMDC598384160FFCC4F7196BB511E6CD474F036CD26C81C27C5E29EC3E0F1BA6FD
HistoryDec 17, 2021 - 5:19 p.m.

Security Bulletin: IBM MQ is vulnerable to multiple Jetty vulnerabilities (CVE-2021-34428, CVE-2021-34429, CVE-2021-28169)

2021-12-1717:19:13
www.ibm.com
28
ibm mq
eclipse jetty
vulnerability
cve-2021-34428
cve-2021-34429
cve-2021-28169
apar it36791
apar it38605
apar it38604
apar it29154
fixpack 9.0.0.12
fixpack 9.1.0.10
fixpack 9.2.0.4
ibm mq 9.0 lts
ibm mq 9.1 lts
ibm mq 9.2 lts
ibm mq 9.1 cd
ibm mq 9.2 cd

EPSS

0.473

Percentile

97.5%

JSON

Summary

Multiple issues were identified in Eclipse Jetty that IBM MQ Explorer uses and is affected by.

Vulnerability Details

CVEID:CVE-2021-34428
**DESCRIPTION:**Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() method. By gaining access to the application on the shared computer, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 3.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204227 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-34429
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted URI, an attacker could exploit this vulnerability to obtain the content of the WEB-INF directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-28169
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.0 LTS
IBM MQ 9.1 LTS
IBM MQ 9.2 LTS
IBM MQ 9.1 CD
IBM MQ 9.2 CD

Remediation/Fixes

IBM MQ 9.0 LTS

This issue has been resolved under APAR IT36791

Apply FixPack 9.0.0.12

IBM MQ 9.1 LTS

This issue has been resolved under APAR IT38605

Apply FixPack 9.1.0.10

IBM MQ 9.2 LTS

This issue has been resolved under APAR IT38604

Apply FixPack 9.2.0.4

IBM MQ 9.1 CD and 9.2 CD

This issue has been resolved under APAR IT29154

Upgrade to IBM MQ 9.2.4

Workarounds and Mitigations

None

Related

ibm 34
nessus 14
attackerkb 1
githubexploit 5
redhatcve 3
veracode 3
openvas 13
osv 8
redhat 8
f5 2
github 4
cve 3
srcincite 1
exploitdb 1
ubuntucve 3
prion 3
seebug 2
cvelist 3
nvd 3
debiancve 3
nuclei 2
hackerone 1
suse 2
cnvd 1
zdt 1
debian 2
amazon 1
packetstorm 1
metasploit 1
oracle 6
ibm
ibm
Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty
2022-10-17 13:12:51
Security Bulletin: Vulnerabilities in Eclipse Jetty affect Rational Performance Tester (CVE-2021-28169, CVE-2021-34428, CVE-2021-28163, CVE-2021-28164, CVE-2021-34429, CVE-2021-28165)
2022-07-29 20:31:30
Security Bulletin: IBM MQ is vulnerable to multiple Eclipse Jetty issues
2022-06-24 16:32:12
nessus
nessus
Jetty 11.0.x < 11.0.3 Multiple Vulnerabilities
2021-10-04 00:00:00
Jetty 10.0.x < 10.0.3 Multiple Vulnerabilities
2021-10-04 00:00:00
Jetty < 9.4.41 Multiple Vulnerabilities
2021-10-04 00:00:00
attackerkb
attackerkb
CVE-2021-28169
2021-06-09 00:00:00
githubexploit
githubexploit
Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Eclipse Jetty
2021-11-03 09:13:12
Exploit for Insufficient Session Expiration in Eclipse Jetty
2023-11-01 10:15:36
Exploit for Insufficient Session Expiration in Eclipse Jetty
2023-11-27 07:25:34
redhatcve
redhatcve
CVE-2021-34428
2021-06-22 18:16:39
CVE-2021-28169
2021-06-11 17:12:18
CVE-2021-34429
2021-07-23 08:20:14
veracode
veracode
Insecure Session ID
2021-06-24 03:44:41
Information Disclosure
2021-07-16 06:32:49
Information Disclosure
2021-06-11 07:28:32
openvas
openvas
Eclipse Jetty Session Vulnerability (GHSA-m6cp-vxjx-65j6) - Windows
2021-06-23 00:00:00
Eclipse Jetty Information Disclosure Vulnerability (GHSA-gwcr-j4wh-j3cq)
2021-06-09 00:00:00
Eclipse Jetty Session Vulnerability (GHSA-m6cp-vxjx-65j6) - Linux
2021-06-23 00:00:00
osv
osv
SessionListener can prevent a session from being invalidated breaking logout
2021-06-23 20:23:04
Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
2021-06-10 15:43:22
jetty9 - security update
2021-06-17 00:00:00
redhat
redhat
(RHSA-2021:3758) Moderate: OpenShift Container Platform 4.9.0 packages and security update
2021-10-18 16:34:07
(RHSA-2022:7257) Low: Red Hat Integration Camel-K 1.8.1 security update
2022-10-27 18:11:20
(RHSA-2021:3700) Moderate: Red Hat AMQ Broker 7.9.0 release and security update
2021-09-30 09:53:41
f5
f5
K51975973 : Eclipse Jetty vulnerability CVE-2021-34428
2022-04-26 00:00:00
K51048910 : Eclipse Jetty vulnerability CVE-2021-28169
2022-04-06 00:00:00
github
github
SessionListener can prevent a session from being invalidated breaking logout
2021-06-23 20:23:04
Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
2021-06-10 15:43:22
Administration Console authentication bypass in openfire xmppserver
2023-05-23 19:54:30
cve
cve
CVE-2021-34428
2021-06-22 15:15:16
CVE-2021-28169
2021-06-09 02:15:06
CVE-2021-34429
2021-07-15 17:15:08
srcincite
srcincite
SRC-2021-0017 : Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
2021-05-05 00:00:00
exploitdb
exploitdb
Eclipse Jetty 11.0.5 - Sensitive File Disclosure
2021-11-03 00:00:00
ubuntucve
ubuntucve
CVE-2021-34428
2021-06-22 00:00:00
CVE-2021-28169
2021-06-09 00:00:00
CVE-2021-34429
2021-07-15 00:00:00
prion
prion
Session fixation
2021-06-22 15:15:00
Path traversal
2021-06-09 02:15:00
Security feature bypass
2021-07-15 17:15:00
seebug
seebug
Jetty WEB-INF 信息泄露漏洞(CVE-2021-34428)
2021-07-30 00:00:00
Eclipse Jetty 信息泄露漏洞(CVE-2021-28169)
2021-06-09 00:00:00
cvelist
cvelist
CVE-2021-34428
2021-06-22 14:45:11
CVE-2021-28169
2021-06-09 01:55:09
CVE-2021-34429
2021-07-15 17:00:10
nvd
nvd
CVE-2021-34428
2021-06-22 15:15:16
CVE-2021-28169
2021-06-09 02:15:06
CVE-2021-34429
2021-07-15 17:15:08
debiancve
debiancve
CVE-2021-34428
2021-06-22 15:15:16
CVE-2021-28169
2021-06-09 02:15:06
CVE-2021-34429
2021-07-15 17:15:08
nuclei
nuclei
Eclipse Jetty ConcatServlet - Information Disclosure
2021-06-24 16:00:02
Eclipse Jetty - Information Disclosure
2021-07-22 09:53:19
hackerone
hackerone
Glassdoor: web.xml configuration file disclosure
2020-03-11 15:26:52
suse
suse
Security update for jetty-minimal (moderate)
2021-08-25 00:00:00
Security update for jetty-minimal (important)
2021-07-11 00:00:00
cnvd
cnvd
Eclipse Jetty has an arbitrary file download vulnerability
2021-07-19 00:00:00
zdt
zdt
Eclipse Jetty 11.0.5 - Sensitive File Disclosure Vulnerability
2021-11-03 00:00:00
debian
debian
[SECURITY] [DLA 2688-1] jetty9 security update
2021-06-17 18:46:57
[SECURITY] [DSA 4949-1] jetty9 security update
2021-08-04 21:52:09
amazon
amazon
Medium: jetty
2024-01-03 21:04:00
packetstorm
packetstorm
Jetty WEB-INF File Disclosure
2024-08-31 00:00:00
metasploit
metasploit
Jetty WEB-INF File Disclosure
2021-11-08 19:04:08
oracle
oracle
Oracle Critical Patch Update Advisory - January 2022
2022-01-18 00:00:00
Oracle Critical Patch Update Advisory - October 2021
2021-10-19 00:00:00
Oracle Critical Patch Update Advisory - April 2022
2022-04-19 00:00:00

EPSS

0.473

Percentile

97.5%

JSON
Related for DC598384160FFCC4F7196BB511E6CD474F036CD26C81C27C5E29EC3E0F1BA6FD
ibm34nessus14attackerkb1githubexploit5redhatcve3veracode3openvas13osv8redhat8f52github4cve3srcincite1exploitdb1ubuntucve3prion3seebug2cvelist3nvd3debiancve3nuclei2hackerone1suse2cnvd1zdt1debian2amazon1packetstorm1metasploit1oracle6