Bug 1985223 (CVE-2021-34429) - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints
Summary: CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-34429
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1985225 1986260 1989984
Blocks: 1986116
TreeView+ depends on / blocked
 
Reported: 2021-07-23 08:17 UTC by Marian Rehak
Modified: 2023-09-15 01:11 UTC (History)
46 users (show)

Fixed In Version: jetty 9.4.43, jetty 10.0.6, jetty 11.0.6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-30 12:21:21 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:3700 0 None None None 2021-09-30 09:58:20 UTC
Red Hat Product Errata RHSA-2022:0138 0 None None None 2022-01-13 15:33:12 UTC

Description Marian Rehak 2021-07-23 08:17:35 UTC 
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints.

Upstream Issue:

https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
Comment 1 Marian Rehak 2021-07-23 08:19:14 UTC 
Created jetty tracking bugs for this issue:

Affects: fedora-all [bug 1985225]
Comment 2 Jonathan Christison 2021-07-26 17:21:42 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss A-MQ 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 4 Jonathan Christison 2021-07-27 08:40:47 UTC 
This vulnerability is out of security support scope for the following products:
 
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 5 Jonathan Christison 2021-07-27 09:05:42 UTC 
Marking Red Hat Integration Camel K and Camel Quarkus as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
Comment 18 errata-xmlrpc 2021-09-30 09:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.9.0

Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
Comment 19 Product Security DevOps Team 2021-09-30 12:21:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-34429
Comment 20 errata-xmlrpc 2022-01-13 15:33:09 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Streams 2.0.0

Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138
Comment 21 Red Hat Bugzilla 2023-09-15 01:11:56 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.