Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CERTFR-2022-AVI-523
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.5 sans le correctif de sécurité 7.5.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.5-20220217192923 | ||
| IBM | MaaS360 | IBM MaaS360 Cloud Extender Agent versions antérieures à 2.106.500.011 | ||
| IBM | MaaS360 | IBM MaaS360 VPN Module versions antérieures à 2.106.500 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.3 sans le correctif de sécurité 7.3.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.3-20220214173614 | ||
| IBM | MaaS360 | IBM MaaS360 Mobile Enterprise Gateway versions antérieures à 2.106.500 | ||
| IBM | QRadar SIEM | IBM QRadar SIEM versions antérieures à 7.4 sans le correctif de sécurité 7.4.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.4-20220217192850 |
References
| Title | Publication Time | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.5 sans le correctif de s\u00e9curit\u00e9 7.5.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.5-20220217192923",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM MaaS360 Cloud Extender Agent versions ant\u00e9rieures \u00e0 2.106.500.011",
"product": {
"name": "MaaS360",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM MaaS360 VPN Module versions ant\u00e9rieures \u00e0 2.106.500",
"product": {
"name": "MaaS360",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.3 sans le correctif de s\u00e9curit\u00e9 7.3.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.3-20220214173614",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM MaaS360 Mobile Enterprise Gateway versions ant\u00e9rieures \u00e0 2.106.500",
"product": {
"name": "MaaS360",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM QRadar SIEM versions ant\u00e9rieures \u00e0 7.4 sans le correctif de s\u00e9curit\u00e9 7.4.0-QRADAR-PROTOCOL-BlueCoatWSSRESTAPI-7.4-20220217192850",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2022-22950",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22950"
},
{
"name": "CVE-2022-22965",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-22965"
},
{
"name": "CVE-2021-28169",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28169"
},
{
"name": "CVE-2021-35516",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35516"
},
{
"name": "CVE-2021-35517",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35517"
},
{
"name": "CVE-2021-28163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28163"
},
{
"name": "CVE-2021-28165",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28165"
},
{
"name": "CVE-2021-36090",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-36090"
},
{
"name": "CVE-2021-22060",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22060"
},
{
"name": "CVE-2022-0547",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0547"
},
{
"name": "CVE-2022-0778",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-0778"
},
{
"name": "CVE-2021-34429",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34429"
},
{
"name": "CVE-2021-28164",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
},
{
"name": "CVE-2021-35515",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-35515"
},
{
"name": "CVE-2021-34428",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-34428"
}
],
"initial_release_date": "2022-06-07T00:00:00",
"last_revision_date": "2022-06-07T00:00:00",
"links": [],
"reference": "CERTFR-2022-AVI-523",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2022-06-07T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM.\nCertaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une\nex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance\net un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2022-06-06",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6592779",
"url": "https://www.ibm.com/support/pages/node/6592779"
},
{
"published_at": "2022-06-06",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6592807",
"url": "https://www.ibm.com/support/pages/node/6592807"
},
{
"published_at": "2022-06-06",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6592799",
"url": "https://www.ibm.com/support/pages/node/6592799"
}
]
}
CVE-2021-35517 (GCVE-0-2021-35517)
Vulnerability from cvelistv5
Published
2021-07-13 07:15
Modified
2024-08-04 00:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Summary
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Compress |
Version: 1.1 < Apache Commons Compress* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:46.713Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/3"
},
{
"name": "[announce] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/5"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[flink-issues] 20210908 [GitHub] [flink] MartijnVisser opened a new pull request #17194: [FLINK-24034] Upgrade commons-compress to 1.21 and other apache.commons updates",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Compress",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Commons Compress*",
"status": "affected",
"version": "1.1",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by OSS Fuzz."
}
],
"descriptions": [
{
"lang": "en",
"value": "When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 tar package."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:29:52",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/3"
},
{
"name": "[announce] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203%40%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46%40%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/5"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[flink-issues] 20210908 [GitHub] [flink] MartijnVisser opened a new pull request #17194: [FLINK-24034] Upgrade commons-compress to 1.21 and other apache.commons updates",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29%40%3Cissues.flink.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-35517",
"STATE": "PUBLIC",
"TITLE": "Apache Commons Compress 1.1 to 1.20 denial of service vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Compress",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache Commons Compress",
"version_value": "1.1"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Commons Compress",
"version_value": "1.20 +1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by OSS Fuzz."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 tar package."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-130 Improper Handling of Length Parameter Inconsistency "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://commons.apache.org/proper/commons-compress/security-reports.html",
"refsource": "MISC",
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"name": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r605d906b710b95f1bbe0036a53ac6968f667f2c249b6fbabada9a940%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/3"
},
{
"name": "[announce] 20210713 CVE-2021-35517: Apache Commons Compress 1.1 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra393ffdc7c90a4a37ea023946f390285693795013a642d80fba20203@%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54afdab05e01de970649c2d91a993f68a6b00cd73e6e34e16c832d46@%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r457b2ed564860996b20d938566fe8bd4bfb7c37be8e205448ccb5975@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36373: Apache Ant TAR archive denial of service vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/5"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[flink-issues] 20210908 [GitHub] [flink] MartijnVisser opened a new pull request #17194: [FLINK-24034] Upgrade commons-compress to 1.21 and other apache.commons updates",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r31f75743ac173b0a606f8ea6ea53f351f386c44e7bcf78ae04007c29@%3Cissues.flink.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211022-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-35517",
"datePublished": "2021-07-13T07:15:22",
"dateReserved": "2021-06-27T00:00:00",
"dateUpdated": "2024-08-04T00:40:46.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28169 (GCVE-0-2021-28169)
Vulnerability from cvelistv5
Published
2021-06-09 01:55
Modified
2024-08-03 21:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: unspecified < Version: unspecified < Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:12.267Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq"
},
{
"name": "[kafka-users] 20210617 vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210727-0009/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThanOrEqual": "9.4.40",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:54:32",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq"
},
{
"name": "[kafka-users] 20210617 vulnerabilities",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210727-0009/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-28169",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_value": "9.4.40"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.2"
},
{
"version_affected": "\u003c=",
"version_value": "11.0.2"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq"
},
{
"name": "[kafka-users] 20210617 vulnerabilities",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20210617 [SECURITY] [DLA 2688-1] jetty9 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/06/msg00017.html"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210623 [jira] [Created] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma commented on pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210704 [GitHub] [kafka] ijuma merged pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Updated] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210722 [jira] [Resolved] (KAFKA-12985) CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25@%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfff6ff8ffb31e8a32619c79774def44b6ffbb037c128c5ad3eab7171@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210928 [jira] [Created] (ZOOKEEPER-4390) CVE-2021-28169 - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210727-0009/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210727-0009/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-28169",
"datePublished": "2021-06-09T01:55:09",
"dateReserved": "2021-03-12T00:00:00",
"dateUpdated": "2024-08-03T21:40:12.267Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0778 (GCVE-0-2022-0778)
Vulnerability from cvelistv5
Published
2022-03-15 17:05
Modified
2024-09-17 00:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Infinite loop
Summary
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc).
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:40:03.765Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65"
},
{
"tags": [
"x_transferred"
],
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83"
},
{
"name": "DSA-5103",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2022/dsa-5103"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2953-1] openssl1.0 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"
},
{
"name": "FEDORA-2022-a5f51502f0",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/"
},
{
"name": "FEDORA-2022-9e88b5d8d7",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/"
},
{
"name": "FEDORA-2022-8bb51f6901",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220321-0002/"
},
{
"tags": [
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-06"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-07"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-08"
},
{
"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/33"
},
{
"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/35"
},
{
"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/May/38"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213257"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213256"
},
{
"tags": [
"x_transferred"
],
"url": "https://support.apple.com/kb/HT213255"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.tenable.com/security/tns-2022-09"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20220429-0005/"
},
{
"tags": [
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "OpenSSL",
"vendor": "OpenSSL",
"versions": [
{
"status": "affected",
"version": "Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1)"
},
{
"status": "affected",
"version": "Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m)"
},
{
"status": "affected",
"version": "Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Tavis Ormandy (Google)"
}
],
"datePublic": "2022-03-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc)."
}
],
"metrics": [
{
"other": {
"content": {
"lang": "eng",
"url": "https://www.openssl.org/policies/secpolicy.html#High",
"value": "High"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Infinite loop",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T19:07:01.186352",
"orgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"shortName": "openssl"
},
"references": [
{
"url": "https://www.openssl.org/news/secadv/20220315.txt"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=a466912611aa6cbdf550cd10601390e587451246"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=3118eb64934499d93db3230748a452351d1d9a65"
},
{
"url": "https://git.openssl.org/gitweb/?p=openssl.git%3Ba=commitdiff%3Bh=380085481c64de749a6dd25cdf0bcf4360b30f83"
},
{
"name": "DSA-5103",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5103"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2952-1] openssl security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00023.html"
},
{
"name": "[debian-lts-announce] 20220317 [SECURITY] [DLA 2953-1] openssl1.0 security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/03/msg00024.html"
},
{
"name": "FEDORA-2022-a5f51502f0",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GDB3GQVJPXJE7X5C5JN6JAA4XUDWD6E6/"
},
{
"name": "FEDORA-2022-9e88b5d8d7",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/323SNN6ZX7PRJJWP2BUAFLPUAE42XWLZ/"
},
{
"name": "FEDORA-2022-8bb51f6901",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W6K3PR542DXWLEFFMFIDMME4CWMHJRMG/"
},
{
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220321-0002/"
},
{
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0002"
},
{
"url": "https://www.tenable.com/security/tns-2022-06"
},
{
"url": "https://www.tenable.com/security/tns-2022-07"
},
{
"url": "https://www.tenable.com/security/tns-2022-08"
},
{
"name": "20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/33"
},
{
"name": "20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/35"
},
{
"name": "20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4",
"tags": [
"mailing-list"
],
"url": "http://seclists.org/fulldisclosure/2022/May/38"
},
{
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"url": "https://support.apple.com/kb/HT213257"
},
{
"url": "https://support.apple.com/kb/HT213256"
},
{
"url": "https://support.apple.com/kb/HT213255"
},
{
"url": "https://www.tenable.com/security/tns-2022-09"
},
{
"url": "https://security.netapp.com/advisory/ntap-20220429-0005/"
},
{
"url": "http://packetstormsecurity.com/files/167344/OpenSSL-1.0.2-1.1.1-3.0-BN_mod_sqrt-Infinite-Loop.html"
},
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-712929.pdf"
},
{
"name": "GLSA-202210-02",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202210-02"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240621-0006/"
}
],
"title": "Infinite loop in BN_mod_sqrt() reachable when parsing certificates"
}
},
"cveMetadata": {
"assignerOrgId": "3a12439a-ef3a-4c79-92e6-6081a721f1e5",
"assignerShortName": "openssl",
"cveId": "CVE-2022-0778",
"datePublished": "2022-03-15T17:05:20.382533Z",
"dateReserved": "2022-02-28T00:00:00",
"dateUpdated": "2024-09-17T00:01:02.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28163 (GCVE-0-2021-28163)
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.32 < unspecified Version: unspecified < Version: 10.0.0.beta2 < unspecified Version: unspecified < Version: 11.0.0.beta2 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:12.280Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "FEDORA-2021-444e38face",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/"
},
{
"name": "FEDORA-2021-35f06984d7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/"
},
{
"name": "FEDORA-2021-fd66b2bd53",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "9.4.32",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.38",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0.beta2",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:54:15",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "FEDORA-2021-444e38face",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/"
},
{
"name": "FEDORA-2021-35f06984d7",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/"
},
{
"name": "FEDORA-2021-fd66b2bd53",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-28163",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "9.4.32"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.38"
},
{
"version_affected": "\u003e=",
"version_value": "10.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0.beta2"
},
{
"version_affected": "\u003c=",
"version_value": "11.0.1"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory."
}
]
},
"impact": {
"cvss": {
"baseScore": 2.7,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-j6qj-j888-vvgq"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Created] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r787e47297a614b05b99d01b04c8a1d6c0cafb480c9cb7c624a6b8fc3@%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E"
},
{
"name": "FEDORA-2021-444e38face",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HAAKW7S66TECXGJZWB3ZFGOQAK34IYHF/"
},
{
"name": "FEDORA-2021-35f06984d7",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5CXQIJVYU4R3JL6LSPXQ5GIV7WLLA7PI/"
},
{
"name": "FEDORA-2021-fd66b2bd53",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GGNKXBNRRCZTGGXPIX3VBWCF2SAM3DWS/"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210611-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-28163",
"datePublished": "2021-04-01T14:20:13",
"dateReserved": "2021-03-12T00:00:00",
"dateUpdated": "2024-08-03T21:40:12.280Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22965 (GCVE-0-2022-22965)
Vulnerability from cvelistv5
Published
2022-04-01 22:17
Modified
2025-07-30 01:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
References
| URL | Tags | |||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Framework |
Version: Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.725Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://www.kb.cert.org/vuls/id/970766"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22965"
},
{
"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory",
"x_refsource_CISCO",
"x_transferred"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-22965",
"options": [
{
"Exploitation": "active"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-29T17:52:10.886552Z",
"version": "2.0.3"
},
"type": "ssvc"
}
},
{
"other": {
"content": {
"dateAdded": "2022-04-04",
"reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-22965"
},
"type": "kev"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T01:37:44.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"timeline": [
{
"lang": "en",
"time": "2022-04-04T00:00:00+00:00",
"value": "CVE-2022-22965 added to CISA KEV"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:46:59.000Z",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22965"
},
{
"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022",
"tags": [
"vendor-advisory",
"x_refsource_CISCO"
],
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2022-22965",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Spring Framework versions 5.3.X prior to 5.3.18+, 5.2.x prior to 5.2.20+ and all old and unsupported versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2022-22965",
"refsource": "MISC",
"url": "https://tanzu.vmware.com/security/cve-2022-22965"
},
{
"name": "20220401 Vulnerability in Spring Framework Affecting Cisco Products: March 2022",
"refsource": "CISCO",
"url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-java-spring-rce-Zx9GUc67"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005",
"refsource": "CONFIRM",
"url": "https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0005"
},
{
"name": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/166713/Spring4Shell-Code-Execution.html"
},
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf",
"refsource": "CONFIRM",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-254054.pdf"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
},
{
"name": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167011/Spring4Shell-Spring-Framework-Class-Property-Remote-Code-Execution.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-22965",
"datePublished": "2022-04-01T22:17:30.000Z",
"dateReserved": "2022-01-10T00:00:00.000Z",
"dateUpdated": "2025-07-30T01:37:44.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28164 (GCVE-0-2021-28164)
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2024-08-03 21:40
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.37.v20210219 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:12.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "9.4.37.v20210219",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.38.v20210224",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-551",
"description": "CWE-551",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:54:18",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-28164",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "9.4.37.v20210219"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.38.v20210224"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-551"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210611-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-28164",
"datePublished": "2021-04-01T14:20:14",
"dateReserved": "2021-03-12T00:00:00",
"dateUpdated": "2024-08-03T21:40:12.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0547 (GCVE-0-2022-0547)
Vulnerability from cvelistv5
Published
2022-03-18 18:00
Modified
2025-04-23 18:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-305 - - Authentication Bypass by Primary Weakness
Summary
OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://community.openvpn.net/openvpn/wiki/CVE-2022-0547"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://openvpn.net/community-downloads/"
},
{
"name": "FEDORA-2022-7d46acce7c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF/"
},
{
"name": "FEDORA-2022-cb4c1146dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE/"
},
{
"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2992-1] openvpn security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-0547",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T13:27:37.639278Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:46:01.507Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "OpenVPN",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "version 2.1 until version 2.4.12 and 2.5.6."
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-305",
"description": "CWE-305 - Authentication Bypass by Primary Weakness",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-05-03T13:06:11.000Z",
"orgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"shortName": "OpenVPN"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://community.openvpn.net/openvpn/wiki/CVE-2022-0547"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://openvpn.net/community-downloads/"
},
{
"name": "FEDORA-2022-7d46acce7c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF/"
},
{
"name": "FEDORA-2022-cb4c1146dc",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE/"
},
{
"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2992-1] openvpn security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@openvpn.net",
"ID": "CVE-2022-0547",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "OpenVPN",
"version": {
"version_data": [
{
"version_value": "version 2.1 until version 2.4.12 and 2.5.6."
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-305 - Authentication Bypass by Primary Weakness"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements",
"refsource": "MISC",
"url": "https://community.openvpn.net/openvpn/wiki/SecurityAnnouncements"
},
{
"name": "https://community.openvpn.net/openvpn/wiki/CVE-2022-0547",
"refsource": "MISC",
"url": "https://community.openvpn.net/openvpn/wiki/CVE-2022-0547"
},
{
"name": "https://openvpn.net/community-downloads/",
"refsource": "MISC",
"url": "https://openvpn.net/community-downloads/"
},
{
"name": "FEDORA-2022-7d46acce7c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R36OYC5SJ6FLPVAYJYYT4MOJ2I7MGYFF/"
},
{
"name": "FEDORA-2022-cb4c1146dc",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GFXJ35WKPME4HYNQCQNAJHLCZOJL2SAE/"
},
{
"name": "[debian-lts-announce] 20220503 [SECURITY] [DLA 2992-1] openvpn security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00002.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36a55730-e66d-4d39-8ca6-3c3b3017965e",
"assignerShortName": "OpenVPN",
"cveId": "CVE-2022-0547",
"datePublished": "2022-03-18T18:00:20.000Z",
"dateReserved": "2022-02-08T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:46:01.507Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34428 (GCVE-0-2021-34428)
Vulnerability from cvelistv5
Published
2021-06-22 14:45
Modified
2024-08-04 00:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: 9.0.0 < unspecified Version: unspecified < Version: 10.0.0 < unspecified Version: unspecified < Version: 11.0.0 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:12:50.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210813-0003/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "9.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.40",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.2",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 2.9,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:55:25",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210813-0003/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-34428",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "9.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.40"
},
{
"version_affected": "\u003e=",
"version_value": "10.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.2"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0"
},
{
"version_affected": "\u003c=",
"version_value": "11.0.2"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For Eclipse Jetty versions \u003c= 9.4.40, \u003c= 10.0.2, \u003c= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in."
}
]
},
"impact": {
"cvss": {
"baseScore": 2.9,
"vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-613"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6"
},
{
"name": "[kafka-jira] 20210623 [GitHub] [kafka] dongjinleekr opened a new pull request #10919: KAFKA-12985: CVE-2021-28169 - Upgrade jetty to 9.4.41",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ref1c161a1621504e673f9197b49e6efe5a33ce3f0e6d8f1f804fc695@%3Cjira.kafka.apache.org%3E"
},
{
"name": "DSA-4949",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf36f1114e84a3379b20587063686148e2d5a39abc0b8a66ff2a9087a@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, - Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210928 [jira] [Updated] (ZOOKEEPER-4390) CVE-2021-28169 , CVE-2021-28163, CVE-2021-34428- Upgrade jetty to 9.4.42",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210813-0003/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210813-0003/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-34428",
"datePublished": "2021-06-22T14:45:11",
"dateReserved": "2021-06-09T00:00:00",
"dateUpdated": "2024-08-04T00:12:50.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-22950 (GCVE-0-2022-22950)
Vulnerability from cvelistv5
Published
2022-04-01 22:17
Modified
2024-08-03 03:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Summary
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Framework |
Version: Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:28:42.433Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22950"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-01T22:17:32",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tanzu.vmware.com/security/cve-2022-22950"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2022-22950",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Spring Framework versions 5.3.X prior to 5.3.17+ and all old and unsupported versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-770: Allocation of Resources Without Limits or Throttling"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2022-22950",
"refsource": "MISC",
"url": "https://tanzu.vmware.com/security/cve-2022-22950"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2022-22950",
"datePublished": "2022-04-01T22:17:32",
"dateReserved": "2022-01-10T00:00:00",
"dateUpdated": "2024-08-03T03:28:42.433Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-36090 (GCVE-0-2021-36090)
Vulnerability from cvelistv5
Published
2021-07-13 07:15
Modified
2024-08-04 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Summary
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Compress |
Version: Apache Commons Compress < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:43.813Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/4"
},
{
"name": "[announce] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/6"
},
{
"name": "[james-notifications] 20210714 [GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[drill-dev] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-commits] 20210804 [drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210804 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210805 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210805 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210811 [GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Compress",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "1.20",
"status": "affected",
"version": "Apache Commons Compress",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by OSS Fuzz."
}
],
"descriptions": [
{
"lang": "en",
"value": "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 zip package."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:30:13",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/4"
},
{
"name": "[announce] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53%40%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38%40%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9%40%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/6"
},
{
"name": "[james-notifications] 20210714 [GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7%40%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[drill-dev] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-commits] 20210804 [drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949%40%3Ccommits.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210804 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210805 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456%40%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210805 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd%40%3Cissues.drill.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210811 [GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later."
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-36090",
"STATE": "PUBLIC",
"TITLE": "Apache Commons Compress 1.0 to 1.20 denial of service vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Compress",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "Apache Commons Compress",
"version_value": "1.20"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by OSS Fuzz."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 zip package."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-130 Improper Handling of Length Parameter Inconsistency "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://commons.apache.org/proper/commons-compress/security-reports.html",
"refsource": "MISC",
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"name": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rc4134026d7d7b053d4f9f2205531122732405012c8804fd850a9b26f%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/4"
},
{
"name": "[announce] 20210713 CVE-2021-36090: Apache Commons Compress 1.0 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9a23d4dbf4e34d498664080bff59f2893b855eb16dae33e4aa92fa53@%3Cannounce.apache.org%3E"
},
{
"name": "[ant-user] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdd5412a5b9a25aed2a02c3317052d38a97128314d50bc1ed36e81d38@%3Cuser.ant.apache.org%3E"
},
{
"name": "[announce] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0e87177f8e78b4ee453cd4d3d8f4ddec6f10d2c27707dd71e12cafc9@%3Cannounce.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-36374: Apache Ant ZIP, and ZIP based, archive denial of service vulerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/6"
},
{
"name": "[james-notifications] 20210714 [GitHub] [james-project] chibenwa opened a new pull request #537: [UPGRADE] Security upgrade: common-compress to 1.21",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb5fa2ee61828fa2e42361b58468717e84902dd71c4aea8dc0b865df7@%3Cnotifications.james.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[drill-dev] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc7df4c2f0bbe2028a1498a46d322c91184f7a369e3e4c57d9518cacf@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210803 [jira] [Created] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf3f0a09fee197168a813966c5816157f6c600a47313a0d6813148ea6@%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong opened a new pull request #2285: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbbf42642c3e4167788a7c13763d192ee049604d099681f765385d99d@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-commits] 20210804 [drill] branch master updated: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r54049b66afbca766b6763c7531e9fe7a20293a112bcb65462a134949@%3Ccommits.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210804 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4f03c5de923e3f2a8c316248681258125140514ef3307bfe1538e1ab@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210804 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf93b6bb267580e01deb7f3696f7eaca00a290c66189a658cf7230a1a@%3Cissues.drill.apache.org%3E"
},
{
"name": "[drill-dev] 20210805 [GitHub] [drill] luocooong merged pull request #2285: DRILL-7981: Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r25f4c44616045085bc3cf901bb7e68e445eee53d1966fc08998fc456@%3Cdev.drill.apache.org%3E"
},
{
"name": "[drill-issues] 20210805 [jira] [Commented] (DRILL-7981) Bump commons-compress from 1.20 to 1.21 for CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3227b1287e5bd8db6523b862c22676b046ad8f4fc96433225f46a2bd@%3Cissues.drill.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210811 [GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r75ffc7a461e7e7ae77690fa75bd47bb71365c732e0fbcc44da4f8ff5@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211022-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later."
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-36090",
"datePublished": "2021-07-13T07:15:23",
"dateReserved": "2021-07-01T00:00:00",
"dateUpdated": "2024-08-04T00:47:43.813Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35516 (GCVE-0-2021-35516)
Vulnerability from cvelistv5
Published
2021-07-13 07:15
Modified
2024-08-04 00:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-130 - Improper Handling of Length Parameter Inconsistency
Summary
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Compress |
Version: 1.6 < Apache Commons Compress* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:46.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/2"
},
{
"name": "[announce] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Compress",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Commons Compress*",
"status": "affected",
"version": "1.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was first reported to the project\u0027s issue tracker as COMPRESS-542 by Robin Schimpf. Later OSS Fuzz detected ways to exploit this issue which managed to escape the initial attempt to fix it."
}
],
"descriptions": [
{
"lang": "en",
"value": "When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 sevenz package."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-130",
"description": "CWE-130 Improper Handling of Length Parameter Inconsistency ",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:29:39",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/2"
},
{
"name": "[announce] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"defect": [
"COMPRESS-542"
],
"discovery": "UNKNOWN"
},
"title": "Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later.\n\nWith Compress 1.19 we introduced a feature that tries to recover broken 7z archives, which makes it far easier to exploit this weakness. As a result we have disabled the recovery code by default and users need to enable it explicitly. In addition users are able to control the amount of memory SevenZFile may use and we strongly recommend using this feature when trying to recover broken archives.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-35516",
"STATE": "PUBLIC",
"TITLE": "Apache Commons Compress 1.6 to 1.20 denial of service vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Compress",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache Commons Compress",
"version_value": "1.6"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Commons Compress",
"version_value": "1.20 +1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was first reported to the project\u0027s issue tracker as COMPRESS-542 by Robin Schimpf. Later OSS Fuzz detected ways to exploit this issue which managed to escape the initial attempt to fix it."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress\u0027 sevenz package."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-130 Improper Handling of Length Parameter Inconsistency "
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://commons.apache.org/proper/commons-compress/security-reports.html",
"refsource": "MISC",
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"name": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/2"
},
{
"name": "[announce] 20210713 CVE-2021-35516: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211022-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"defect": [
"COMPRESS-542"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later.\n\nWith Compress 1.19 we introduced a feature that tries to recover broken 7z archives, which makes it far easier to exploit this weakness. As a result we have disabled the recovery code by default and users need to enable it explicitly. In addition users are able to control the amount of memory SevenZFile may use and we strongly recommend using this feature when trying to recover broken archives.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-35516",
"datePublished": "2021-07-13T07:15:20",
"dateReserved": "2021-06-27T00:00:00",
"dateUpdated": "2024-08-04T00:40:46.628Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-28165 (GCVE-0-2021-28165)
Vulnerability from cvelistv5
Published
2021-04-01 14:20
Modified
2025-08-27 20:37
Severity ?
VLAI Severity ?
EPSS score ?
Summary
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: 7.2.2 < unspecified Version: unspecified < Version: 10.0.0.alpha0 < unspecified Version: unspecified < Version: 11.0.0.alpha0 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T21:40:12.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[oss-security] 20210420 Vulnerability in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/04/20/3"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2021-28165",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-27T20:37:21.074048Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-755",
"description": "CWE-755 Improper Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-27T20:37:23.768Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "7.2.2",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.38",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.0.alpha0",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.0.alpha0",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-551",
"description": "CWE-551",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:54:20.000Z",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424%40%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97%40%3Ccommits.spark.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1%40%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e%40%3Cdev.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[oss-security] 20210420 Vulnerability in Jenkins",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/04/20/3"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7%40%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f%40%3Cissues.solr.apache.org%3E"
},
{
"name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a%40%3Cjira.kafka.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "DSA-4949",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c%40%3Cissues.solr.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-28165",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "7.2.2"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.38"
},
{
"version_affected": "\u003e=",
"version_value": "10.0.0.alpha0"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.1"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.0.alpha0"
},
{
"version_affected": "\u003c=",
"version_value": "11.0.1"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame."
}
]
},
"impact": {
"cvss": {
"baseScore": 7.5,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-551"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r17e26cf9a1e3cbc09522d15ece5d7c7a00cdced7641b92a22a783287@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Assigned] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5f172f2dd8fb02f032ef4437218fd4f610605a3dd4f2a024c1e43b94@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra210e38ae0bf615084390b26ba01bb5d66c0a76f232277446ae0948a@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Updated] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.38 CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re577736ca7da51952c910b345a500b7676ea9931c9b19709b87f292b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbcd7b477df55857bb6cae21fcc4404683ac98aac1a47551f0dc55486@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9db72e9c33b93eba45a214af588f1d553839b5c3080fc913854a49ab@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 [jira] [Created] (ZOOKEEPER-4277) dependency-check:check failing - jetty-server-9.4.39 CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re6614b4fe7dbb945409daadb9e1cc73c02383df68bf9334736107a6e@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210407 Re: [VOTE] Apache ZooKeeper release 3.6.3 candidate 1",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r56e5568ac73daedcb3b5affbb4b908999f03d3c1b1ada3920b01e959@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar opened a new pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra21b3e6bd9669377139fe33fb46edf6fece3f31375bc42a0dcc964b2@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbba0b02a3287e34af328070dd58f7828612f96e2e64992137f4dc63d@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf99f9a25ca24fe519c9346388f61b5b3a09be31b800bf37f01473ad7@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdf4fe435891e8c35e70ea5da033b4c3da78760f15a8c4212fad89d9f@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad closed pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb11a13e623218c70b9f2a2d0d122fdaaf905e04a2edcd23761894464@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bf7004c18c914fae3d5a6a0191d477e5b6408d95669b3afbf6efa36@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] asfgit closed pull request #1675: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra9dd15ba8a4fb7e42c7fe948a6d6b3868fd6bbf8e3fb37fcf33b2cd0@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210407 [GitHub] [zookeeper] arshadmohammad commented on pull request #1676: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r002258611ed0c35b82b839d284b43db9dcdec120db8afc1c993137dc@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0a241b0649beef90d422b42a26a2470d336e59e66970eafd54f9c3e2@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch branch-3.6.3 updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc907ed7b089828364437de5ed57fa062330970dc1bc5cd214b711f77@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210407 [zookeeper] branch master updated: ZOOKEEPER-4277: update jetty to 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r33eb3889ca0aa12720355e64fc2f8f1e8c0c28a4d55b3b4b8891becb@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[hbase-dev] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4abbd760d24bab2b8f1294c5c9216ae915100099c4391ad64e9ae38b@%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] apurtell opened a new pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ra50519652b0b7f869a14fbfb4be9758a29171d7fe561bb7e036e8449@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [GitHub] [hbase-thirdparty] Apache-HBase commented on pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdbf2a2cd1800540ae50dd78b57411229223a6172117d62b8e57596aa@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Created] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbab9e67ec97591d063905bc7d4743e6a673f1bc457975fc0445ac97f@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210407 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0f02034a33076fd7243cf3a8807d2766e373f5cb2e7fd0c9a78f97c4@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Created] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r03ca0b69db1e3e5f72fe484b71370d537cd711cbf334e2913332730a@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Commented] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r83453ec252af729996476e5839d0b28f07294959d60fea1bd76f7d81@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5d1f16dca2e010193840068f1a1ec17b7015e91acc646607cbc0a4da@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r940f15db77a96f6aea92d830bc94d8d95f26cc593394d144755824da@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Updated] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7c40fb3a66a39b6e6c83b0454bc6917ffe6c69e3131322be9c07a1da@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Assigned] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r942f4a903d0abb25ac75c592e57df98dea51350e8589269a72fd7913@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6de4c249bd74007f5f66f683c110535f46e719d2f83a41e8faf295f@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb8f5a6ded384eb00608e6137e87110e7dd7d5054cc34561cb89b81af@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3a1617d16a7367f767b8209b2151f4c19958196354b39568c532f26@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] HyukjinKwon commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2f2d9c3b7cc750a6763d6388bcf5db0c7b467bd8be6ac4d6aea4f0cf@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0cd1a5e3f4ad4770b44f8aa96572fc09d5b35bec149c0cc247579c42@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdfe5f1c071ba9dadba18d7fb0ff13ea6ecb33da624250c559999eaeb@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9b793db9f395b546e66fb9c44fe1cd75c7755029e944dfee31b8b779@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-issues] 20210408 [jira] [Resolved] (SPARK-34988) Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9fae5a4087d9ed1c9d4f0c7493b6981a4741cfb4bebb2416da638424@%3Cissues.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r769155244ca2da2948a44091bb3bb9a56e7e1c71ecc720b8ecf281f0@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk commented on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfd3ff6e66b6bbcfb2fefa9f5a20328937c0369b2e142e3e1c6774743@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] MaxGekk closed pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb66ed0b4bb74836add60dd5ddf9172016380b2aeefb7f96fe348537b@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc6c43c3180c0efe00497c73dd374cd34b62036cb67987ad42c1f2dce@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] sarutak opened a new pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r31f591a0deac927ede8ccc3eac4bb92697ee2361bf01549f9e3440ca@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rae8bbc5a516f3e21b8a55e61ff6ad0ced03bdbd116d2170a3eed9f5c@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbd9a837a18ca57ac0d9b4165a6eec95ee132f55d025666fe41099f33@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raea6e820644e8c5a577f77d4e2044f8ab52183c2536b00c56738beef@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1624b9777a3070135e94331a428c6653a6a1edccd56fa9fb7a547f2@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32091: [SPARK-34988][CORE] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/ree1895a256a9db951e0d97a76222909c2e1f28c1a3d89933173deed6@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd6c1eb9a8a94b3ac8a525d74d792924e8469f201b77e1afcf774e7a6@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] AmplabJenkins removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb2d34abb67cdf525945fe4b821c5cdbca29a78d586ae1f9f505a311c@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb00345f6b1620b553d2cc1acaf3017aa75cea3776b911e024fa3b187@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r05db8e0ef01e1280cc7543575ae0fa1c2b4d06a8b928916ef65dd2ad@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] SparkQA removed a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r71031d0acb1de55c9ab32f4750c50ce2f28543252e887ca03bd5621e@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r06d54a297cb8217c66e5190912a955fb870ba47da164002bf2baffe5@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rdde34d53aa80193cda016272d61e6749f8a9044ccb37a30768938f7e@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun edited a comment on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r411d75dc6bcefadaaea246549dd18e8d391a880ddf28a796f09ce152@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-3.0 updated: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2afc72af069a7fe89ca2de847f3ab3971cb1d668a9497c999946cd78@%3Ccommits.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun closed pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0a4797ba6ceea8074f47574a4f3cc11493d514c1fab8203ebd212add@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen closed pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r23785214d47673b811ef119ca3a40f729801865ea1e891572d15faa6@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] viirya commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf1b02dfccd27b8bbc3afd119b212452fa32e9ed7d506be9357a3a7ec@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r47a7542ab61da865fff3db0fe74bfe76c89a37b6e6d2c2a423f8baee@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32093: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r72bf813ed4737196ea3ed26494e949577be587fd5939fe8be09907c7@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] srowen commented on pull request #32094: [SPARK-34988][CORE][3.0] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r746434be6abff9ad321ff54ecae09e1f09c1c7c139021f40a5774090@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210408 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6ce2907b2691c025250ba010bc797677ef78d5994d08507a2e5477c9@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-commits] 20210408 [spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd24d8a059233167b4a5aebda4b3534ca1d86caa8a85b10a73403ee97@%3Ccommits.spark.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [GitHub] [hbase-thirdparty] apurtell merged pull request #49: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7189bf41cb0c483629917a01cf296f9fbdbda3987084595192e3845d@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210408 [jira] [Updated] (HBASE-25746) [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4891d45625cc522fe0eb764ac50d48bcca9c0db4805ea4a998d4c225@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-commits] 20210408 [hbase-thirdparty] branch master updated: HBASE-25746 [hbase-thirdparty] Update jetty to \u003e= 9.4.39 due to CVE-2021-28165 (#49)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re0545ecced2d468c94ce4dcfa37d40a9573cc68ef5f6839ffca9c1c1@%3Ccommits.hbase.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] dinghram opened a new pull request #10183: CVE-2021-28165-Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r520c56519b8820955a86966f499e7a0afcbcf669d6f7da59ef1eb155@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210409 [GitHub] [pulsar] merlimat commented on pull request #10183: CVE-2021-28165-Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfc9f51b4e21022b3cd6cb6f90791a6a6999560212e519b5f09db0aed@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r65daad30d13f7c56eb5c3d7733ad8dddbf62c469175410777a78d812@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210412 [jira] [Created] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6535b2beddf0ed2d263ab64ff365a5f790df135a1a2f45786417adb7@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc4779abc1cface47e956cf9f8910f15d79c24477e7b1ac9be076a825@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai closed pull request #10183: CVE-2021-28165-Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcdea97f4d3233298296aabc103c9fcefbf629425418c2b69bb16745f@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210412 [GitHub] [pulsar] jiazhai commented on pull request #10183: CVE-2021-28165-Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90327f55db8f1d079f9a724aabf1f5eb3c00c1de49dc7fd04cad1ebc@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr opened a new pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [jira] [Assigned] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0bf3aa065abd23960fc8bdc8090d6bc00d5e391cf94ec4e1f4537ae3@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210412 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r077b76cafb61520c14c87c4fc76419ed664002da0ddac5ad851ae7e7@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd755dfe5f658c42704540ad7950cebd136739089c3231658e398cf38@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-issues] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 merged pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6f256a1d15505f79f4050a69bb8f27b34cb353604dd2f765c9da5df7@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[ignite-dev] 20210413 [jira] [Created] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd7c8fb305a8637480dc943ba08424c8992dccad018cd1405eb2afe0e@%3Cdev.ignite.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [jira] [Updated] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc4dbc9907b0bdd634200ac90a15283d9c143c11af66e7ec72128d020@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210413 [jira] [Resolved] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r694e57d74fcaa48818a03c282aecfa13ae68340c798dfcb55cb7acc7@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] chia7712 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd9ea411a58925cc82c32e15f541ead23cb25b4b2d57a2bdb0341536e@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] edwin092 commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6b070441871a4e6ce8bb63e190c879bb60da7c5e15023de29ebd4f9f@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210413 [GitHub] [kafka] dongjinleekr commented on pull request #10526: KAFKA-12655: CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r81748d56923882543f5be456043c67daef84d631cf54899082058ef1@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[solr-issues] 20210414 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961@%3Cissues.solr.apache.org%3E"
},
{
"name": "[oss-security] 20210420 Vulnerability in Jenkins",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/04/20/3"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Commented] (IGNITE-14527) CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[ignite-issues] 20210426 [jira] [Updated] (IGNITE-14527) Upgrade Jetty version to fix CVE-2021-2816[3,4,5] in Jetty",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46@%3Cissues.ignite.apache.org%3E"
},
{
"name": "[solr-issues] 20210507 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66@%3Cissues.solr.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] jeffreysmooth commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r401b1c592f295b811608010a70792b11c91885b72af9f9410cffbe35@%3Creviews.spark.apache.org%3E"
},
{
"name": "[spark-reviews] 20210517 [GitHub] [spark] dongjoon-hyun commented on pull request #32095: [SPARK-34988][CORE][3.1] Upgrade Jetty for CVE-2021-28165",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r64ff94118f6c80e6c085c6e2d51bbb490eaefad0642db8c936e4f0b7@%3Creviews.spark.apache.org%3E"
},
{
"name": "[solr-issues] 20210623 [jira] [Updated] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Created] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9974f64723875052e02787b2a5eda689ac5247c71b827d455e5dc9a6@%3Cissues.solr.apache.org%3E"
},
{
"name": "[solr-issues] 20210711 [jira] [Updated] (SOLR-15529) High security vulnerability in JDOM library bundled within Solr 8.9 CVE-2021-33813",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbc075a4ac85e7a8e47420b7383f16ffa0af3b792b8423584735f369f@%3Cissues.solr.apache.org%3E"
},
{
"name": "[kafka-jira] 20210715 [jira] [Commented] (KAFKA-12655) CVE-2021-28165 - Upgrade jetty to 9.4.39",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r40136c2010fccf4fb2818a965e5d7ecca470e5f525c232ec5b8eb83a@%3Cjira.kafka.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210611-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210611-0006/"
},
{
"name": "DSA-4949",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2021/dsa-4949"
},
{
"name": "[solr-issues] 20210813 [jira] [Resolved] (SOLR-15338) High security vulnerability in Jetty library CVE-2021-28163 (+5) bundled within Solr",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd0471252aeb3384c3cfa6d131374646d4641b80dd313e7b476c47a9c@%3Cissues.solr.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-28165",
"datePublished": "2021-04-01T14:20:14.000Z",
"dateReserved": "2021-03-12T00:00:00.000Z",
"dateUpdated": "2025-08-27T20:37:23.768Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-34429 (GCVE-0-2021-34429)
Vulnerability from cvelistv5
Published
2021-07-15 17:00
Modified
2024-08-04 00:12
Severity ?
VLAI Severity ?
EPSS score ?
Summary
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
References
| URL | Tags | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Eclipse Foundation | Eclipse Jetty |
Version: 9.4.37 < unspecified Version: unspecified < Version: 10.0.1 < unspecified Version: unspecified < Version: 11.0.1 < unspecified Version: unspecified < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:12:50.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli opened a new issue #11659: Jetty is flagged with CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] lhotari opened a new pull request #11660: [Security] Upgrade Jetty to 9.4.43.v20210629",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli closed issue #11659: Jetty is flagged with CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[santuario-dev] 20210817 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #52: Bump jetty.version from 9.4.42.v20210604 to 9.4.43.v20210629",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1%40%3Cdev.santuario.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Updated] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.8 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.7 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 3.0 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Assigned] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210827 [GitHub] [zookeeper] nkalmar commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Commented] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210819-0006/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Jetty",
"vendor": "The Eclipse Foundation",
"versions": [
{
"lessThan": "unspecified",
"status": "affected",
"version": "9.4.37",
"versionType": "custom"
},
{
"lessThanOrEqual": "9.4.42",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "10.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "10.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
},
{
"lessThan": "unspecified",
"status": "affected",
"version": "11.0.1",
"versionType": "custom"
},
{
"lessThanOrEqual": "11.0.5",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 \u0026 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-551",
"description": "CWE-551",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:29:06",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli opened a new issue #11659: Jetty is flagged with CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] lhotari opened a new pull request #11660: [Security] Upgrade Jetty to 9.4.43.v20210629",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli closed issue #11659: Jetty is flagged with CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[santuario-dev] 20210817 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #52: Bump jetty.version from 9.4.42.v20210604 to 9.4.43.v20210629",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1%40%3Cdev.santuario.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Updated] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.8 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.7 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 3.0 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe%40%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e%40%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Assigned] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c%40%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210827 [GitHub] [zookeeper] nkalmar commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398%40%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63%40%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c%40%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Commented] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba%40%3Cissues.hbase.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210819-0006/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2021-34429",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Jetty",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_value": "9.4.37"
},
{
"version_affected": "\u003c=",
"version_value": "9.4.42"
},
{
"version_affected": "\u003e=",
"version_value": "10.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "10.0.5"
},
{
"version_affected": "\u003e=",
"version_value": "11.0.1"
},
{
"version_affected": "\u003c=",
"version_value": "11.0.5"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 \u0026 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5."
}
]
},
"impact": {
"cvss": {
"baseScore": 5.3,
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-551"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm",
"refsource": "CONFIRM",
"url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli opened a new issue #11659: Jetty is flagged with CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] lhotari opened a new pull request #11660: [Security] Upgrade Jetty to 9.4.43.v20210629",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli closed issue #11659: Jetty is flagged with CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[santuario-dev] 20210817 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #52: Bump jetty.version from 9.4.42.v20210604 to 9.4.43.v20210629",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3Cdev.santuario.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Updated] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.8 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 2.7 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-commits] 20210817 [kafka] branch 3.0 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3Ccommits.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-dev] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3Cdev.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210817 [jira] [Assigned] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[kafka-jira] 20210818 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3Cjira.kafka.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210827 [GitHub] [zookeeper] nkalmar commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3Ccommits.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3Cnotifications.zookeeper.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[hbase-dev] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3Cdev.hbase.apache.org%3E"
},
{
"name": "[hbase-issues] 20210921 [jira] [Commented] (HBASE-26292) Update jetty version to fix CVE-2021-34429",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3Cissues.hbase.apache.org%3E"
},
{
"name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210819-0006/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210819-0006/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2021-34429",
"datePublished": "2021-07-15T17:00:10",
"dateReserved": "2021-06-09T00:00:00",
"dateUpdated": "2024-08-04T00:12:50.169Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35515 (GCVE-0-2021-35515)
Vulnerability from cvelistv5
Published
2021-07-13 07:15
Modified
2024-08-04 00:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-834 - Excessive Iteration
Summary
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
References
| URL | Tags | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Compress |
Version: 1.6 < Apache Commons Compress* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:40:47.264Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/1"
},
{
"name": "[announce] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Commons Compress",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "Apache Commons Compress*",
"status": "affected",
"version": "1.6",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "This issue was discovered by OSS Fuzz."
}
],
"descriptions": [
{
"lang": "en",
"value": "When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress\u0027 sevenz package."
}
],
"metrics": [
{
"other": {
"content": {
"other": "low"
},
"type": "unknown"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-834",
"description": "CWE-834 Excessive Iteration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:29:28",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/1"
},
{
"name": "[announce] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69%40%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57%40%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"workarounds": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later.\n"
}
],
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2021-35515",
"STATE": "PUBLIC",
"TITLE": "Apache Commons Compress 1.6 to 1.20 denial of service vulnerability"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Commons Compress",
"version": {
"version_data": [
{
"version_affected": "\u003e=",
"version_name": "Apache Commons Compress",
"version_value": "1.6"
},
{
"version_affected": "\u003c=",
"version_name": "Apache Commons Compress",
"version_value": "1.20 +1"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by OSS Fuzz."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress\u0027 sevenz package."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "low"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-834 Excessive Iteration"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://commons.apache.org/proper/commons-compress/security-reports.html",
"refsource": "MISC",
"url": "https://commons.apache.org/proper/commons-compress/security-reports.html"
},
{
"name": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r19ebfd71770ec0617a9ea180e321ef927b3fefb4c81ec5d1902d20ab%40%3Cuser.commons.apache.org%3E"
},
{
"name": "[oss-security] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/07/13/1"
},
{
"name": "[announce] 20210713 CVE-2021-35515: Apache Commons Compress 1.6 to 1.20 denial of service vulnerability",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbaea15ddc5a7c0c6b66660f1d6403b28595e2561bb283eade7d7cd69@%3Cannounce.apache.org%3E"
},
{
"name": "[pulsar-commits] 20210716 [GitHub] [pulsar] lhotari opened a new pull request #11345: [Security] Upgrade commons-compress to 1.21",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s opened a new pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf2f4d7940371a7c7c5b679f50e28fc7fcc82cd00670ced87e013ac88@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [GitHub] [druid] suneet-s merged pull request #11496: Address CVE-2021-35515 CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rab292091eadd1ecc63c516e9541a7f241091cf2e652b8185a6059945@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[druid-commits] 20210726 [druid] branch master updated: Address CVE-2021-35515 CVE-2021-36090 (#11496)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rbe91c512c5385181149ab087b6c909825d34299f5c491c6482a2ed57@%3Ccommits.druid.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] wu-sheng opened a new pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [skywalking] 01/01: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [skywalking] branch master updated: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090 (#7400)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] hanahmily merged pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210803 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] commented on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[skywalking-notifications] 20210802 [GitHub] [skywalking] codecov[bot] edited a comment on pull request #7400: Fix CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3E"
},
{
"name": "[poi-dev] 20210923 Re: [VOTE] Apache POI 5.1.0 release (RC1)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20211022-0001/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20211022-0001/"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "en",
"value": "Commons Compress users should upgrade to 1.21 or later.\n"
}
]
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2021-35515",
"datePublished": "2021-07-13T07:15:19",
"dateReserved": "2021-06-27T00:00:00",
"dateUpdated": "2024-08-04T00:40:47.264Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22060 (GCVE-0-2021-22060)
Vulnerability from cvelistv5
Published
2022-01-07 22:39
Modified
2024-08-03 18:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Malicious input to cause the insertion of additional log entries.
Summary
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Spring Framework |
Version: Spring Framework 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:30:23.916Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://tanzu.vmware.com/security/cve-2021-22060"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Spring Framework",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Spring Framework 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Malicious input to cause the insertion of additional log entries.",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-04-19T23:24:11",
"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"shortName": "vmware"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://tanzu.vmware.com/security/cve-2021-22060"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@vmware.com",
"ID": "CVE-2021-22060",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Spring Framework",
"version": {
"version_data": [
{
"version_value": "Spring Framework 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Malicious input to cause the insertion of additional log entries."
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://tanzu.vmware.com/security/cve-2021-22060",
"refsource": "MISC",
"url": "https://tanzu.vmware.com/security/cve-2021-22060"
},
{
"name": "https://www.oracle.com/security-alerts/cpuapr2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d",
"assignerShortName": "vmware",
"cveId": "CVE-2021-22060",
"datePublished": "2022-01-07T22:39:55",
"dateReserved": "2021-01-04T00:00:00",
"dateUpdated": "2024-08-03T18:30:23.916Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…