eclipse jetty CVE-2021-34429 vulnerability in Eclipse and Other Products
Published on July 15, 2021

product logo product logo product logo product logo
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Github Repository Github Repository NVD

Vulnerability Analysis

CVE-2021-34429 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2021-34429 has been classified to as an Information Disclosure vulnerability or weakness.

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.


Products Associated with CVE-2021-34429

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-34429 are published in these products:

Eclipse Jetty
 
Apache Zookeeper
 
NetApp E Series Santricity Os Controller
 
NetApp E Series Santricity Web Services
 
NetApp Element Plug Vcenter Server
 
NetApp Hci Management Node
 
NetApp Snap Creator Framework
 
NetApp Snapcenter Plug In
 
NetApp Solidfire
 
Oracle Communications Cloud Native Core Binding Support Function
 
Oracle Communications Cloud Native Core Security Edge Protection Proxy
 
Oracle Communications Cloud Native Core Service Communication Proxy
 
Oracle Communications Cloud Native Core Unified Data Repository
 
Oracle Communications Diameter Signaling Router
 
Oracle Retail Eftlink
 
Oracle Autovue Agile Product Lifecycle Management
 
Oracle Financial Services Crime Compliance Management Studio
 
Oracle Rest Data Services
 
Oracle Stream Analytics
 

Affected Versions

The Eclipse Foundation Eclipse Jetty:

Vulnerable Packages

The following package name and versions may be associated with CVE-2021-34429

Package Manager Vulnerable Package Versions Fixed In
maven org.igniterealtime.openfire:xmppserver >= 4.7.0, < 4.7.5 4.7.5
maven org.igniterealtime.openfire:xmppserver >= 3.10.0, < 4.6.8 4.6.8
maven org.eclipse.jetty:jetty-webapp >= 11.0.1, <= 11.0.5 11.0.6
maven org.eclipse.jetty:jetty-webapp >= 10.0.1, <= 10.0.5 10.0.6
maven org.eclipse.jetty:jetty-webapp >= 9.4.37, <= 9.4.42 9.4.43

Exploit Probability

EPSS
93.78%
Percentile
99.85%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.