For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. Upstream Issue: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm
Created jetty tracking bugs for this issue: Affects: fedora-all [bug 1985225]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Marking Red Hat Integration Camel K and Camel Quarkus as having a low impact, although Camel K distributes jetty artifacts through camel-jetty, camel-jetty itself is not available for use by the application developer, http functionality is provided by camel-k default runtime, Quarkus.
This issue has been addressed in the following products: Red Hat AMQ 7.9.0 Via RHSA-2021:3700 https://access.redhat.com/errata/RHSA-2021:3700
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-34429
This issue has been addressed in the following products: Red Hat AMQ Streams 2.0.0 Via RHSA-2022:0138 https://access.redhat.com/errata/RHSA-2022:0138
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days