In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

According to its self-reported version number, the instance of Jetty hosted on the remote web server is prior to 9.4.39, 10.0.x prior to 10.0.2 or 11.0.x prior to 11.0.2. It is, therefore, affected by multiple vulnerabilities:

 - An issue where CPU usage can reach 100% with a large invalid TLS frame. (CVE-2021-28165)

 - A issue with permitting access to protected resources within the WEB-INF directory when accessed with encoded paths. (CVE-2021-28164)

 - An issue when a symlinked webapps directory is used, the contents of the webapps directory is deployed as a static webapp. (CVE-2021-28163)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:2005-1 advisory.

  - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a     webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp,     inadvertently serving the webapps themselves and anything else that might be in that directory.
    (CVE-2021-28163)

  - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with     URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For     example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive     information regarding the implementation of a web application. (CVE-2021-28164)

  - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can     reach 100% upon receiving a large invalid TLS frame. (CVE-2021-28165)

  - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the     ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For     example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal     sensitive information regarding the implementation of a web application. (CVE-2021-28169)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1551 advisory.

  - golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362)

  - jenkins: lack of type validation in agent related REST API (CVE-2021-21639)

  - jenkins: view name validation bypass (CVE-2021-21640)

  - jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

  - jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

  - golang: crypto/elliptic: incorrect operations on the P-224 curve (CVE-2021-3114)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1509 advisory.

  - jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)

  - jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)

  - jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
112995	Jetty 11.0.x < 11.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112994	Jetty 10.0.x < 10.0.2 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
112993	Jetty < 9.4.39 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	high
151741	openSUSE 15 Security Update : jetty-minimal (openSUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
150895	SUSE SLED15 / SLES15 Security Update : jetty-minimal (SUSE-SU-2021:2005-1)	Nessus	SuSE Local Security Checks	medium
149793	RHEL 7 / 8 : OpenShift Container Platform 4.7.11 (RHSA-2021:1551)	Nessus	Red Hat Local Security Checks	medium
149318	RHEL 7 : rh-eclipse-jetty (RHSA-2021:1509)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2021-28163

low

Tenable Plugins

high

high

high

medium

medium

medium

medium