Jetty 11.0.x < 11.0.2 Multiple Vulnerabilities

high Web App Scanning Plugin ID 112995

Synopsis

Jetty 11.0.x < 11.0.2 Multiple Vulnerabilities

Description

According to its self-reported version number, the instance of Jetty hosted on the remote web server is prior to 9.4.39, 10.0.x prior to 10.0.2 or 11.0.x prior to 11.0.2. It is, therefore, affected by multiple vulnerabilities:

- An issue where CPU usage can reach 100% with a large invalid TLS frame. (CVE-2021-28165)

- A issue with permitting access to protected resources within the WEB-INF directory when accessed with encoded paths. (CVE-2021-28164)

- An issue when a symlinked webapps directory is used, the contents of the webapps directory is deployed as a static webapp. (CVE-2021-28163)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Jetty version 11.0.2 or later.

See Also

https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq

https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5

Plugin Details

Severity: High

ID: 112995

Type: remote

Published: 10/4/2021

Updated: 3/14/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2021-28165

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS Score Source: CVE-2021-28165

Vulnerability Information

CPE: cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/20/2021

Vulnerability Publication Date: 4/1/2021

Reference Information

CVE: CVE-2021-28163, CVE-2021-28164, CVE-2021-28165

CWE: 200, 400, 551, 59, 755

OWASP: 2010-A6, 2013-A5, 2013-A9, 2017-A6, 2017-A9, 2021-A1, 2021-A6

WASC: Denial of Service, Information Leakage

CAPEC: 116, 13, 132, 147, 169, 17, 197, 22, 224, 285, 287, 290, 291, 292, 293, 294, 295, 296, 297, 298, 299, 300, 301, 302, 303, 304, 305, 306, 307, 308, 309, 310, 312, 313, 317, 318, 319, 320, 321, 322, 323, 324, 325, 326, 327, 328, 329, 330, 35, 472, 492, 497, 508, 573, 574, 575, 576, 577, 59, 60, 616, 643, 646, 651, 76, 79

DISA STIG: APSC-DV-000460, APSC-DV-002400, APSC-DV-002560, APSC-DV-002630

HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i)

ISO: 27001-A.12.6.1, 27001-A.14.2.5

NIST: sp800_53-AC-3, sp800_53-CM-6b, sp800_53-SC-24, sp800_53-SC-5, sp800_53-SI-15

OWASP API: 2019-API7, 2023-API8

OWASP ASVS: 4.0.2-14.2.1, 4.0.2-8.3.4

PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5.8