In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. References: https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
Created jetty tracking bugs for this issue: Affects: fedora-all [bug 1945713]
External References: https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
The issue was introduced with version 9.4.37. Older versions of jetty are not affected.
Upstream patch: https://github.com/eclipse/jetty.project/commit/d80c622b005c044e93f585c231b420a29371f6e0
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat Camel K as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
Statement: Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws. Red Hat CodeReady Studio 12 is not affected by this vulnerability because it does not ship a vulnerable version of jetty.
This issue has been addressed in the following products: Red Hat Developer Tools Via RHSA-2021:1509 https://access.redhat.com/errata/RHSA-2021:1509
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-28164
This issue has been addressed in the following products: Red Hat AMQ Streams 1.6.4 Via RHSA-2021:1560 https://access.redhat.com/errata/RHSA-2021:1560
Marking Red Hat Integration Red Hat Integration Service Registry as having a low impact, although Service Registry distributes Jetty as part of Kafka Connect component it is not available in the productised release, meaning jetty is also not available for use by the end application developer.
This issue has been addressed in the following products: Red Hat AMQ 7.8.2 Via RHSA-2021:2689 https://access.redhat.com/errata/RHSA-2021:2689
This issue has been addressed in the following products: Red Hat AMQ Streams 1.8.0 Via RHSA-2021:3225 https://access.redhat.com/errata/RHSA-2021:3225
This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407