Jetty vulnerability 

Issue date: 21-09-2021
Affects versions: 14.6

Security Issue ID

SECURITY-231

 

Affected Product Version(s)

14.6.0 and previous releases.


Severity 

medium


Description

CVE-2021-28165 (OSSINDEX)

 

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

CVSSv3:

  • Base Score: HIGH (7.5)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2021-28169 (OSSINDEX)  suppress

 

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

CVSSv3:

  • Base Score: MEDIUM (5.3)
  • Vector: CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Instructions

Customers using the 14.x major versions are recommended to upgrade to the latest version in that series.