For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVSS Details
- CVSS 3.1 Base Score: 5.3
- CVSS 3.1 Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Covered by Rapid7
| Product | Vendor Advisory | Solution File | Added | Published |
|---|---|---|---|---|
| Debian | debian-upgrade-jetty9 | Jul 30, 2024 | Jul 15, 2021 | |
| Redhat_linux | — | no-fix-redhat-rpm-package | Jul 9, 2025 | Jul 15, 2021 |
| Suse | — | suse-upgrade-jetty-annotationssuse-upgrade-jetty-clientsuse-upgrade-jetty-continuationsuse-upgrade-jetty-httpsuse-upgrade-jetty-iosuse-upgrade-jetty-jaassuse-upgrade-jetty-javax-websocket-client-implsuse-upgrade-jetty-javax-websocket-server-implsuse-upgrade-jetty-jmxsuse-upgrade-jetty-jndisuse-upgrade-jetty-jspsuse-upgrade-jetty-minimal-javadocsuse-upgrade-jetty-openidsuse-upgrade-jetty-plussuse-upgrade-jetty-proxysuse-upgrade-jetty-securitysuse-upgrade-jetty-serversuse-upgrade-jetty-servletsuse-upgrade-jetty-utilsuse-upgrade-jetty-util-ajaxsuse-upgrade-jetty-webappsuse-upgrade-jetty-websocket-apisuse-upgrade-jetty-websocket-clientsuse-upgrade-jetty-websocket-commonsuse-upgrade-jetty-websocket-javadocsuse-upgrade-jetty-websocket-serversuse-upgrade-jetty-websocket-servletsuse-upgrade-jetty-xml | Aug 26, 2021 | Jul 15, 2021 |
| Ubuntu | no-fix-ubuntu-package | Jun 26, 2025 | Jul 15, 2021 |
Prioritise with Active Threat Intelligence
With curated Threat Intelligence, you can see which vulnerabilities truly put you at risk, prioritize what matters most, and act before attackers do.
Explore Intelligence Hub