{"id":"OESA-2021-1249","summary":"jetty security update","details":"Jetty is a 100% Java HTTP Server and Servlet Container. This means that you do not need to configure and run a separate web server (like Apache) in order\\ to use Java, servlets and JSPs to generate dynamic content. Jetty is a fully\\ featured web server for static and dynamic content. Unlike separate\\ server/container solutions, this means that your web server and web\\ application run in the same process, without interconnection overheads\\ and complications. Furthermore, as a pure java component, Jetty can be simply\\ included in your application for demonstration, distribution or deployment.\\ Jetty is available on all Java supported platforms. \\ %global extdesc \\\\ \\ This package contains\r\n\r\nSecurity Fix(es):\r\n\r\nFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.(CVE-2021-28169)","modified":"2026-03-11T06:01:17.523604Z","published":"2021-07-03T11:03:01Z","upstream":["CVE-2021-28169"],"database_specific":{"severity":"Medium"},"references":[{"type":"ADVISORY","url":"https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1249"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-28169"}],"affected":[{"package":{"name":"jetty","ecosystem":"openEuler:20.03-LTS-SP1","purl":"pkg:rpm/openEuler/jetty&distro=openEuler-20.03-LTS-SP1"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.4.15-8.oe1"}]}],"ecosystem_specific":{"noarch":["jetty-javax-websocket-client-impl-9.4.15-8.oe1.noarch.rpm","jetty-websocket-common-9.4.15-8.oe1.noarch.rpm","jetty-util-ajax-9.4.15-8.oe1.noarch.rpm","jetty-io-9.4.15-8.oe1.noarch.rpm","jetty-jaspi-9.4.15-8.oe1.noarch.rpm","jetty-http2-common-9.4.15-8.oe1.noarch.rpm","jetty-jspc-maven-plugin-9.4.15-8.oe1.noarch.rpm","jetty-util-9.4.15-8.oe1.noarch.rpm","jetty-maven-plugin-9.4.15-8.oe1.noarch.rpm","jetty-xml-9.4.15-8.oe1.noarch.rpm","jetty-quickstart-9.4.15-8.oe1.noarch.rpm","jetty-websocket-server-9.4.15-8.oe1.noarch.rpm","jetty-http-spi-9.4.15-8.oe1.noarch.rpm","jetty-spring-9.4.15-8.oe1.noarch.rpm","jetty-osgi-boot-jsp-9.4.15-8.oe1.noarch.rpm","jetty-server-9.4.15-8.oe1.noarch.rpm","jetty-osgi-boot-warurl-9.4.15-8.oe1.noarch.rpm","jetty-cdi-9.4.15-8.oe1.noarch.rpm","jetty-annotations-9.4.15-8.oe1.noarch.rpm","jetty-jstl-9.4.15-8.oe1.noarch.rpm","jetty-javadoc-9.4.15-8.oe1.noarch.rpm","jetty-servlet-9.4.15-8.oe1.noarch.rpm","jetty-osgi-boot-9.4.15-8.oe1.noarch.rpm","jetty-http-9.4.15-8.oe1.noarch.rpm","jetty-fcgi-server-9.4.15-8.oe1.noarch.rpm","jetty-continuation-9.4.15-8.oe1.noarch.rpm","jetty-rewrite-9.4.15-8.oe1.noarch.rpm","jetty-ant-9.4.15-8.oe1.noarch.rpm","jetty-http2-hpack-9.4.15-8.oe1.noarch.rpm","jetty-security-9.4.15-8.oe1.noarch.rpm","jetty-javax-websocket-server-impl-9.4.15-8.oe1.noarch.rpm","jetty-http2-server-9.4.15-8.oe1.noarch.rpm","jetty-alpn-client-9.4.15-8.oe1.noarch.rpm","jetty-9.4.15-8.oe1.noarch.rpm","jetty-alpn-server-9.4.15-8.oe1.noarch.rpm","jetty-jmx-9.4.15-8.oe1.noarch.rpm","jetty-project-9.4.15-8.oe1.noarch.rpm","jetty-http2-client-9.4.15-8.oe1.noarch.rpm","jetty-jsp-9.4.15-8.oe1.noarch.rpm","jetty-websocket-servlet-9.4.15-8.oe1.noarch.rpm","jetty-fcgi-client-9.4.15-8.oe1.noarch.rpm","jetty-plus-9.4.15-8.oe1.noarch.rpm","jetty-jndi-9.4.15-8.oe1.noarch.rpm","jetty-proxy-9.4.15-8.oe1.noarch.rpm","jetty-client-9.4.15-8.oe1.noarch.rpm","jetty-nosql-9.4.15-8.oe1.noarch.rpm","jetty-infinispan-9.4.15-8.oe1.noarch.rpm","jetty-start-9.4.15-8.oe1.noarch.rpm","jetty-websocket-client-9.4.15-8.oe1.noarch.rpm","jetty-osgi-alpn-9.4.15-8.oe1.noarch.rpm","jetty-http2-http-client-transport-9.4.15-8.oe1.noarch.rpm","jetty-websocket-api-9.4.15-8.oe1.noarch.rpm","jetty-deploy-9.4.15-8.oe1.noarch.rpm","jetty-unixsocket-9.4.15-8.oe1.noarch.rpm","jetty-httpservice-9.4.15-8.oe1.noarch.rpm","jetty-webapp-9.4.15-8.oe1.noarch.rpm","jetty-jaas-9.4.15-8.oe1.noarch.rpm","jetty-servlets-9.4.15-8.oe1.noarch.rpm"],"src":["jetty-9.4.15-8.oe1.src.rpm"]},"database_specific":{"source":"https://repo.openeuler.org/security/data/osv/OESA-2021-1249.json"}}],"schema_version":"1.7.5"}