For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: eclipse
Published: 2021-06-09T01:55:09
Updated: 2024-08-03T21:40:12.267Z
Reserved: 2021-03-12T00:00:00
Link: CVE-2021-28169
Vulnrichment
No data.
NVD
Status : Modified
Published: 2021-06-09T02:15:06.853
Modified: 2023-11-07T03:32:06.387
Link: CVE-2021-28169
Redhat