CVE-2021-28169 @ Maven-org.eclipse.jetty:jetty-server-9.4.36.v20210114 #470
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Vulnerable Package issue exists @ Maven-org.eclipse.jetty:jetty-server-9.4.36.v20210114 in branch main
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to
/concat?/%2557EB-INF/web.xmlcan retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.Namespace: CxDemoInABoxRepos
Repository: Java-Webgoat
Repository Url: https://github.com/CxDemoInABoxRepos/Java-Webgoat
CxAST-Project: CxDemoInABoxRepos/Java-Webgoat
CxAST platform scan: 188de2bd-a9df-4b09-95f7-dd05d6f06695
Branch: main
Application: Java-Webgoat
Severity: MEDIUM
State: TO_VERIFY
Status: RECURRENT
CWE: CWE-200
Additional Info
Attack vector: NETWORK
Attack complexity: LOW
Confidentiality impact: LOW
Availability impact: NONE
Remediation Upgrade Recommendation: 9.4.43.v20210629
References
Advisory
Commit
Commit
Issue
Pull request
Pull request
The text was updated successfully, but these errors were encountered: