vendor:
Jetty
by:
Mayank Deshmukh
5.5
CVSS
MEDIUM
Information Disclosure
200
CWE
Product Name: Jetty
Affected Version From: 9.4.37.v20210219
Affected Version To: 9.4.38.v20210224
Patch Exists: YES
Related CWE: CVE-2021-28164
CPE: a:eclipse:jetty:9.4.37.v20210219,cpe:/a:eclipse:jetty:9.4.38.v20210224
Tags: vulhub,cve,cve2021,jetty,packetstorm
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Nuclei References:
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5, https://github.com/vulhub/vulhub/tree/1239bca12c75630bb2033b728140ed5224dcc6d8/jetty, https://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0@jira.kafka.apache.org, http://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html, https://nvd.nist.gov/vuln/detail/cve-2021-28164
Nuclei Metadata: {'max-request': 1, 'vendor': 'eclipse', 'product': 'jetty'}
Platforms Tested: Kali Linux
2021
Jetty 9.4.37.v20210219 – Information Disclosure
This exploit allows an attacker to retrieve sensitive information from the web.xml file in Jetty 9.4.37.v20210219 and 9.4.38.v20210224 versions. By sending a specially crafted HTTP request, an attacker can access the web.xml file containing configuration details and potentially sensitive information.
Mitigation:
To mitigate this vulnerability, it is recommended to update Jetty to a version that includes a fix for CVE-2021-28164. Additionally, restrict access to sensitive files such as web.xml.
