CVE-2021-34429

high-risk

Published 2021-07-15

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Do I need to act?

93.8% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

50478

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Jetty

E-Series Santricity Os Controller

E-Series Santricity Web Services

Element Plug-In For Vcenter Server

Hci Management Node

Snap Creator Framework

Snapcenter Plug-In

Solidfire

Autovue For Agile Product Lifecycle Management

Communications Cloud Native Core Binding Support Function

Communications Cloud Native Core Security Edge Protection Proxy

Communications Cloud Native Core Service Communication Proxy

Communications Cloud Native Core Unified Data Repository

Communications Diameter Signaling Router

Financial Services Crime And Compliance Management Studio

Rest Data Services

Retail Eftlink

Stream Analytics

Affected Vendors

Oracle Netapp Eclipse

References (76)

Exploit https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a9...

https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e897...

https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee54...

https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16...

https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e76625851...

https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8...

https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f107129...

https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324...

https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb7...

https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72...

https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc...

https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d...

https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b...

https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb...

https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d507514...

https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca6...

https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1...

https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195d...

https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e99...

and 56 more references

/ 100

high-risk

Severity 21/34 · High

Exploitability 20/34 · Moderate

Exposure 20/34 · Moderate