Is CVE-2021-28164 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 82%.

What products does CVE-2021-28164 affect?

Tracked products affected include Eclipse Jetty. Check the version you run to see whether it is affected.

How do I fix CVE-2021-28164?

Apply the vendor fix in your normal patch cycle. Upgrade affected products to a fixed version.

CVE-2021-28164

Q: What is CVE-2021-28164?

CVE-2021-28164 is a medium-severity software vulnerability (Information disclosure) with a CVSS score of 5.3. In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%

MEDIUM severity · CVSS 5.3 · Information disclosure

5.3CVSS MEDIUM

Summary

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactLow

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)82%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products we track (1)

Eclipse Jetty

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5Advisory
https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E
https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E
https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E
https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E
https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E
http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.htmlAdvisory