Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

CVE-2021-28164

CVE information

Published

2 years ago

Last Modified

4 months ago

CVSSv2.0 Severity

Medium

CVSSv3.1 Severity

Medium

Impact Analysis

Description

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application..

CVSSv2.0 Score

Severity
Medium
Base Score
5/10
Exploit Score
10/10
Access Vector
Network
Access Complexity
Low
Authentication Required
None
Impact Score
2.9/10
Confidentiality Impact
Partial
Availability Impact
None
Integrity Impact
None

CVSSv3.1 Score

Severity
Medium
Base Score
5.3/10
Exploit Score
3.9/10
Access Vector
Network
Access Complexity
Low
Privileges Required
None
Impact Score
1.4/10
Confidentiality Impact
Low
Availability Impact
None
Integrity Impact
None
Scope
Unchanged
User Interaction
None

Products Affected

CPE Affected Vulnerable Excluding Edit
cpe:2.3:a:eclipse:jetty:9.4.37:20210219:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:eclipse:jetty:9.4.38:20210224:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:santricity_cloud_connector:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:e-series_performance_analyzer:-:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:
  Yes
- -
cpe:2.3:a:netapp:virtual_storage_console:*:*:*:*:*:vmware_vs
  Yes
9.6 -
cpe:2.3:a:netapp:storage_replication_adapter_for_clustered_d
  Yes
9.6 -
cpe:2.3:a:netapp:vasa_provider_for_clustered_data_ontap:*:*:
  Yes
9.6 -
cpe:2.3:a:netapp:cloud_manager:-:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere
  Yes
- -
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*
  Yes
11.0 -
cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:
  Yes
- -
cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_managem
  Yes
- -
cpe:2.3:a:oracle:siebel_core_-_automation:*:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:
  Yes
8.0.0 -
cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*
  Yes
- -
cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*
  Yes
- -

References