ubuntu-cve-2021-28164
Vulnerability from osv_ubuntu
Published
2021-04-01 15:15
Modified
2025-10-24 04:50
Summary
Details

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.


{
  "affected": [
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libequinox-app-java",
            "binary_version": "1.3.600+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-bidi-java",
            "binary_version": "1.1.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-cm-java",
            "binary_version": "1.3.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-common-java",
            "binary_version": "3.10.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-concurrent-java",
            "binary_version": "1.1.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-console-java",
            "binary_version": "1.3.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-coordinator-java",
            "binary_version": "1.3.600+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-device-java",
            "binary_version": "1.0.700+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-ds-java",
            "binary_version": "1.5.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-event-java",
            "binary_version": "1.4.300+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-http-jetty-java",
            "binary_version": "3.6.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-http-jetty-starter-java",
            "binary_version": "1.1.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-http-registry-java",
            "binary_version": "1.1.600+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-http-servlet-java",
            "binary_version": "1.5.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-http-servletbridge-java",
            "binary_version": "1.1.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-io-java",
            "binary_version": "1.1.300+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-ip-java",
            "binary_version": "1.1.600+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-jsp-jasper-java",
            "binary_version": "1.1.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-jsp-jasper-registry-java",
            "binary_version": "1.1.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-metatype-java",
            "binary_version": "1.4.500+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-preferences-java",
            "binary_version": "3.7.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-region-java",
            "binary_version": "1.4.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-registry-java",
            "binary_version": "3.8.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-security-java",
            "binary_version": "1.2.500+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-servletbridge-java",
            "binary_version": "1.4.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-transforms-hook-java",
            "binary_version": "1.2.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-transforms-xslt-java",
            "binary_version": "1.0.500+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-useradmin-java",
            "binary_version": "1.1.600+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-util-java",
            "binary_version": "1.1.100+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-weaving-caching-java",
            "binary_version": "1.1.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-weaving-hook-java",
            "binary_version": "1.2.200+eclipse4.9-2~18.04"
          },
          {
            "binary_name": "libequinox-wireadmin-java",
            "binary_version": "1.0.800+eclipse4.9-2~18.04"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:18.04:LTS",
        "name": "equinox-bundles",
        "purl": "pkg:deb/ubuntu/equinox-bundles@4.9-2~18.04?arch=source\u0026distro=bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.9-2~18.04"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libequinox-app-java",
            "binary_version": "1.4.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-bidi-java",
            "binary_version": "1.2.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-cm-java",
            "binary_version": "1.4.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-common-java",
            "binary_version": "3.10.500+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-concurrent-java",
            "binary_version": "1.1.400+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-console-java",
            "binary_version": "1.4.0+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-coordinator-java",
            "binary_version": "1.3.600+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-device-java",
            "binary_version": "1.0.800+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-ds-java",
            "binary_version": "1.6.0+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-event-java",
            "binary_version": "1.5.200+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-http-jetty-java",
            "binary_version": "3.7.200+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-http-jetty-starter-java",
            "binary_version": "1.1.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-http-registry-java",
            "binary_version": "1.1.700+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-http-servlet-java",
            "binary_version": "1.6.200+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-http-servletbridge-java",
            "binary_version": "1.1.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-io-java",
            "binary_version": "1.1.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-ip-java",
            "binary_version": "1.1.600+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-jsp-jasper-java",
            "binary_version": "1.1.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-jsp-jasper-registry-java",
            "binary_version": "1.1.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-metatype-java",
            "binary_version": "1.5.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-preferences-java",
            "binary_version": "3.7.500+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-region-java",
            "binary_version": "1.4.500+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-registry-java",
            "binary_version": "3.8.500+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-security-java",
            "binary_version": "1.3.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-servletbridge-java",
            "binary_version": "1.5.100+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-transforms-hook-java",
            "binary_version": "1.2.500+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-transforms-xslt-java",
            "binary_version": "1.1.0+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-useradmin-java",
            "binary_version": "1.1.700+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-util-java",
            "binary_version": "1.1.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-weaving-caching-java",
            "binary_version": "1.1.300+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-weaving-hook-java",
            "binary_version": "1.2.400+eclipse4.13-1"
          },
          {
            "binary_name": "libequinox-wireadmin-java",
            "binary_version": "1.0.800+eclipse4.13-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:20.04:LTS",
        "name": "equinox-bundles",
        "purl": "pkg:deb/ubuntu/equinox-bundles@4.13-1?arch=source\u0026distro=focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.12-1",
        "4.13-1"
      ]
    },
    {
      "ecosystem_specific": {
        "binaries": [
          {
            "binary_name": "libequinox-app-java",
            "binary_version": "1.5.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-bidi-java",
            "binary_version": "1.3.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-cm-java",
            "binary_version": "1.5.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-common-java",
            "binary_version": "3.14.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-concurrent-java",
            "binary_version": "1.2.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-console-java",
            "binary_version": "1.4.300+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-coordinator-java",
            "binary_version": "1.4.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-device-java",
            "binary_version": "1.1.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-event-java",
            "binary_version": "1.6.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-http-jetty-java",
            "binary_version": "3.7.600+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-http-jetty-starter-java",
            "binary_version": "1.1.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-http-registry-java",
            "binary_version": "1.2.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-http-servlet-java",
            "binary_version": "1.7.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-http-servletbridge-java",
            "binary_version": "1.2.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-io-java",
            "binary_version": "1.1.300+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-ip-java",
            "binary_version": "1.1.600+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-jsp-jasper-java",
            "binary_version": "1.1.500+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-jsp-jasper-registry-java",
            "binary_version": "1.1.400+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-metatype-java",
            "binary_version": "1.6.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-preferences-java",
            "binary_version": "3.8.200+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-region-java",
            "binary_version": "1.5.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-registry-java",
            "binary_version": "3.10.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-security-java",
            "binary_version": "1.3.600+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-security-ui-java",
            "binary_version": "1.3.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-servletbridge-java",
            "binary_version": "1.6.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-transforms-hook-java",
            "binary_version": "1.3.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-transforms-xslt-java",
            "binary_version": "1.2.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-useradmin-java",
            "binary_version": "1.2.100+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-util-java",
            "binary_version": "1.1.300+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-weaving-caching-java",
            "binary_version": "1.2.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-weaving-hook-java",
            "binary_version": "1.3.0+eclipse4.19-1"
          },
          {
            "binary_name": "libequinox-wireadmin-java",
            "binary_version": "1.0.800+eclipse4.19-1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "equinox-bundles",
        "purl": "pkg:deb/ubuntu/equinox-bundles@4.19-1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "4.18-1",
        "4.19-1"
      ]
    }
  ],
  "aliases": [],
  "details": "In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.",
  "id": "UBUNTU-CVE-2021-28164",
  "modified": "2025-10-24T04:50:13Z",
  "published": "2021-04-01T15:15:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-28164"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28164"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "medium",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2021-28164"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…