In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)

  - In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a     request containing multiple Accept headers with a large number of quality (i.e. q) parameters, the     server may enter a denial of service (DoS) state due to high CPU usage processing those quality values,     resulting in minutes of CPU time exhausted processing those quality values. (CVE-2020-27223)

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

According to its self-reported version number, the instance of Jetty hosted on the remote web server is prior to 9.4.39, 10.0.x prior to 10.0.2 or 11.0.x prior to 11.0.2. It is, therefore, affected by multiple vulnerabilities:

 - An issue where CPU usage can reach 100% with a large invalid TLS frame. (CVE-2021-28165)

 - A issue with permitting access to protected resources within the WEB-INF directory when accessed with encoded paths. (CVE-2021-28164)

 - An issue when a symlinked webapps directory is used, the contents of the webapps directory is deployed as a static webapp. (CVE-2021-28163)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1509 advisory.

    Jetty is a 100% Java HTTP Server and Servlet Container.

    The following packages have been upgraded to a later upstream version: rh-eclipse-jetty (9.4.40).

    Security Fix(es):

    * jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

    * jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

    * jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202285	RHEL 8 : jetty (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
196483	RHEL 7 : jetty (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
112995	Jetty 11.0.x < 11.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112994	Jetty 10.0.x < 10.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112993	Jetty < 9.4.39 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
151741	openSUSE 15 Security Update : jetty-minimal (openSUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
150895	SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
149318	RHEL 7 : rh-eclipse-jetty (RHSA-2021:1509)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2021-28164

medium

Tenable Plugins

medium

high

high

high

high

medium

medium

medium