CVE-2021-28169 PoC — Eclipse Jetty 安全漏洞

Source

https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2021/CVE-2021-28169.yaml

Associated Vulnerability

Title:Eclipse Jetty 安全漏洞 (CVE-2021-28169)
Description:Eclipse Jetty是Eclipse基金会的一个开源的、基于Java的Web服务器和Java Servlet容器。 Eclipse Jetty 中存在安全漏洞，该漏洞源于通过对ConcatServlet的双重编码路径请求访问WEB-INF目录中的受保护资源。以下产品及型号受到影响： Eclipse Jetty 9.4.40 版本及之前版本、Eclipse Jetty 10.0.2 版本及之前版本、Eclipse Jetty 11.0.2 版本及之前版本。

Description

Eclipse Jetty through 9.4.40, through 10.0.2, and through 11.0.2 is susceptible to information disclosure.  Requests to the ConcatServlet with a doubly encoded path can access protected resources within the WEB-INF directory, thus enabling an attacker to potentially obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site.

File Snapshot


 id: CVE-2021-28169

info:
  name: Eclipse Jetty ConcatServlet - Information Disclosure
  author: pik

...

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!