Описание
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Отчет
In OpenShift Container Platform (OCP), the hive/presto/hadoop components that comprise the OCP metering stack, ship the vulnerable version of jetty. Since the release of OCP 4.6, the metering product has been deprecated [1], hence the affected components are marked as wontfix. This may be fixed in the future. [1] https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-metering-operator-deprecated Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws. Red Hat CodeReady Studio 12 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty. Red Hat Enterprise Linux 8 is not affected by this flaw because it does not ship the vulnerable components (ConcatServlet or WelcomeFilter) of jetty. Red Hat Enterprise Linux 7 ships the vulnerable component of jetty, but only in the optional repository and thus this flaw is out of support scope for Red Hat Enterprise Linux 7.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CodeReady Studio 12 | jetty-server | Not affected | ||
| Red Hat Developer Tools | rh-eclipse-jetty | Affected | ||
| Red Hat Enterprise Linux 7 | jetty | Out of support scope | ||
| Red Hat Enterprise Linux 8 | eclipse:rhel8/jetty | Not affected | ||
| Red Hat Integration Service Registry | jetty-server | Affected | ||
| Red Hat JBoss A-MQ 6 | jetty-server | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty | Out of support scope | ||
| Red Hat JBoss Fuse 6 | jetty-server | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | openshift4/ose-metering-hadoop | Will not fix |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is poss ...
Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability
Уязвимость контейнера сервлетов Eclipse Jetty, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить конфиденциальную информацию
5.3 Medium
CVSS3