Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2021-28169
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
Eclipse Jetty 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Eclipse Jetty是Eclipse基金会的一个开源的、基于Java的Web服务器和Java Servlet容器。 Eclipse Jetty 中存在安全漏洞,该漏洞源于通过对ConcatServlet的双重编码路径请求访问WEB-INF目录中的受保护资源。以下产品及型号受到影响: Eclipse Jetty 9.4.40 版本及之前版本、Eclipse Jetty 10.0.2 版本及之前版本、Eclipse Jetty 11.0.2 版本及之前版本。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
VendorProductAffected VersionsCPESubscribe
The Eclipse FoundationEclipse Jetty unspecified ~ 9.4.40 -
II. Public POCs for CVE-2021-28169
#POC DescriptionSource LinkShenlong Link
1Eclipse Jetty through 9.4.40, through 10.0.2, and through 11.0.2 is susceptible to information disclosure. Requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory, thus enabling an attacker to potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-28169.yamlPOC Details
2Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E4%B8%AD%E9%97%B4%E4%BB%B6%E6%BC%8F%E6%B4%9E/Jetty%20%E9%80%9A%E7%94%A8%20Servlets%20%E7%BB%84%E4%BB%B6%20ConcatServlet%20%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%20CVE-2021-28169.mdPOC Details
3https://github.com/vulhub/vulhub/blob/master/jetty/CVE-2021-28169/README.mdPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC
III. Intelligence Information for CVE-2021-28169
Please Login to view more intelligence information
IV. Related Vulnerabilities
Same product: Eclipse Jetty
Same vendor: The Eclipse Foundation
Same weakness: CWE-200
V. Comments for CVE-2021-28169

No comments yet

Leave a comment