Access Restriction Bypass Affecting org.eclipse.jetty:jetty-webapp package, versions [9.4.37,9.4.43) [10.0.1,10.0.6) [11.0.1,11.0.6)
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGECLIPSEJETTY-1319666
- published 16 Jul 2021
- disclosed 16 Jul 2021
- credit cangqingzhe, CloverSecLabs
Introduced: 16 Jul 2021
CVE-2021-34429 Open this link in a new tabHow to fix?
Upgrade org.eclipse.jetty:jetty-webapp
to version 9.4.43, 10.0.6, 11.0.6 or higher.
Overview
org.eclipse.jetty:jetty-webapp is a maven plugin for Jetty web application support.
Affected versions of this package are vulnerable to Access Restriction Bypass. URIs can be crafted using some encoded characters to access the content of the WEB-INF
directory and/or bypass some security constraints. For example, a request to /%u002e/WEB-INF/web.xml
can retrieve the web.xml
file. This can reveal sensitive information regarding the implementation of a web application. Similarly, an encoded null character can prevent correct normalization so that /.%00/WEB-INF/web.xml
can also retrieve the web.xml
file.