Merge branch 'master' of https://github.com/nrathaus/nuclei-templates
commit
b5bdac494b
|
@ -1,23 +1,16 @@
|
|||
id: jetty-utility-servlets-concatservlet-double-decoding-information-disclosure-vulnerability
|
||||
id: CVE-2021-28164
|
||||
|
||||
info:
|
||||
name: Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
|
||||
name: Authorization Before Parsing and Canonicalization in jetty
|
||||
author: noamrathaus
|
||||
severity: high
|
||||
description: |
|
||||
Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
|
||||
This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check.
|
||||
reference: |
|
||||
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
|
||||
- https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
|
||||
description: |
|
||||
Requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory. For example a request to the ConcatServlet with a URI of /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
|
||||
|
||||
This occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. It then uses this decoded path to call RequestDispatcher which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF to bypass this security check.
|
||||
|
||||
Impact
|
||||
This affects all versions of ConcatServlet and WelcomeFilter in versions before 9.4.41, 10.0.3 and 11.0.3.
|
||||
|
||||
Workarounds
|
||||
If you cannot update to the latest version of Jetty, you can instead deploy your own version of the ConcatServlet and/or the WelcomeFilter by using the code from the latest version of Jetty.
|
||||
tags: jetty
|
||||
tags: cve,cve2021,jetty
|
||||
|
||||
requests:
|
||||
- method: GET
|
||||
|
@ -34,6 +27,7 @@ requests:
|
|||
words:
|
||||
- "<url-pattern>/weaver/"
|
||||
part: body
|
||||
|
||||
- type: word
|
||||
part: header
|
||||
words:
|
Loading…
Reference in New Issue