Attacker Value
High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
1

CVE-2021-28169

Disclosure Date: June 09, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Add Assessment

1
Ratings
Technical Analysis

More info on this vulnerability can be found at https://srcincite.io/blog/2021/07/13/fswa-2021-zero-day-give-away.html where the original author, Steven Steely of Source Insight, shows an example of how this vulnerability could be exploited to leak sensitive credentials from configuration files and combined this with a 0day deserialization vulnerability in Apache Shiro in the rememberMe cookie to gain RCE. For this reason, given a real world example of how this could be used to gain RCE on a typical deployment, I have elevated the Attacker Value.

Overall this vulnerability in a nutshell allows unauthenticated users to leak the content of files on the target system provided the target file is within the web root (aka the attacker can’t leak the content of files outside of the web root). Provided a user can leak sensitive info (which is not that uncommon), they can utilize this information to then conduct privilege elevation attacks and bypass authentication.

CVSS V3 Severity and Metrics
Base Score:
5.3 Medium
Impact Score:
1.4
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
Low
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • debian,
  • eclipse,
  • netapp,
  • oracle

Products

  • active iq unified manager -,
  • communications cloud native core policy 1.14.0,
  • debian linux 10.0,
  • debian linux 9.0,
  • hci -,
  • jetty,
  • management services for element software -,
  • rest data services,
  • snap creator framework -

Exploited in the Wild

Reported by:

References

Advisory

Additional Info

Technical Analysis