diff --git a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml b/cves/2021/CVE-2021-28164.yaml similarity index 69% rename from vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml rename to cves/2021/CVE-2021-28164.yaml index cb7e67f6c3..6c5d5c88ba 100644 --- a/vulnerabilities/other/jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability.yml +++ b/cves/2021/CVE-2021-28164.yaml @@ -1,23 +1,16 @@ -id: jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability +id: CVE-2021-28164 info: - name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability + name: Authorization Before Parsing and Canonicalization in jetty author: noamrathaus severity: high + description: | + Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. + This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. reference: | - https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq - https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5 - description: | - Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. - - This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check. - - Impact - This affects all versions of ConcatServlet and WelcomeFilter in versions before 9.4.41, 10.0.3 and 11.0.3. - - Workarounds - If you cannot update to the latest version of Jetty, you can instead deploy your own version of the ConcatServlet and/or the WelcomeFilter by using the code from the latest version of Jetty. - tags: jetty + tags: cve,cve2021,jetty requests: - method: GET @@ -34,7 +27,8 @@ requests: words: - "/weaver/" part: body + - type: word part: header words: - - "application/xml" + - "application/xml" \ No newline at end of file