CVE-2021-28164

MEDIUM NUCLEI

Eclipse Jetty - Information Disclosure

Title source: nuclei

Description

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Exploits (3)

exploitdb WORKING POC
by Mayank Deshmukh · textwebappsjava
https://www.exploit-db.com/exploits/50438
nomisec STUB 1 stars
by jammy0903 · poc
https://github.com/jammy0903/-jettyCVE-2021-28164-
metasploit WORKING POC
by h00die, Mayank Deshmukh, cangqingzhe, lachlan roberts <[email protected]>, charlesk40 · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/jetty_web_inf_disclosure.rb

Nuclei Templates (1)

Eclipse Jetty - Information Disclosure
MEDIUMby noamrathaus
Shodan: cpe:"cpe:2.3:a:eclipse:jetty"

References (25)

... and 5 more

Scores

CVSS v3 5.3
EPSS 0.9348
EPSS Percentile 99.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-551 CWE-200
Status published
Products (21)
eclipse/jetty 9.4.37 20210219
eclipse/jetty 9.4.38 20210224
netapp/cloud_manager
netapp/element_plug-in_for_vcenter_server
netapp/e-series_performance_analyzer
netapp/e-series_santricity_os_controller 11.0 - 11.70.1
netapp/e-series_santricity_web_services
netapp/santricity_cloud_connector
netapp/snapcenter
netapp/snapcenter_plug-in
... and 11 more
Published Apr 01, 2021
Tracked Since Feb 18, 2026