Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:2005-1

Опубликовано: 17 июн. 2021
Источник: suse-cvrf

Описание

Security update for jetty-minimal

This update for jetty-minimal fixes the following issues:

Update to version 9.4.42.v20210604

  • Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory
  • Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408
  • Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs
  • Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan

Список пакетов

SUSE Linux Enterprise Module for Development Tools 15 SP2
jetty-http-9.4.42-3.9.1
jetty-io-9.4.42-3.9.1
jetty-security-9.4.42-3.9.1
jetty-server-9.4.42-3.9.1
jetty-servlet-9.4.42-3.9.1
jetty-util-9.4.42-3.9.1
jetty-util-ajax-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP3
jetty-http-9.4.42-3.9.1
jetty-io-9.4.42-3.9.1
jetty-security-9.4.42-3.9.1
jetty-server-9.4.42-3.9.1
jetty-servlet-9.4.42-3.9.1
jetty-util-9.4.42-3.9.1
jetty-util-ajax-9.4.42-3.9.1

Ссылки

Описание

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.42-3.9.1
Ссылки

Описание

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.42-3.9.1
Ссылки

Описание

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.42-3.9.1
Ссылки

Описание

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Затронутые продукты
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-http-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-io-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-security-9.4.42-3.9.1
SUSE Linux Enterprise Module for Development Tools 15 SP2:jetty-server-9.4.42-3.9.1
Ссылки
Уязвимость SUSE-SU-2021:2005-1