CVE-2021-28164

Name	CVE-2021-28164
Description	In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
jetty (PTS)	jessie, jessie (lts)	6.1.26-4+deb8u2	fixed
jetty8 (PTS)	jessie, jessie (lts)	8.1.16-4+deb8u1	fixed
jetty9 (PTS)	stretch (security), stretch (lts), stretch	9.2.30-0+deb9u2	fixed
	buster (security), buster, buster (lts)	9.4.50-4+deb10u2	fixed
	bullseye (security), bullseye	9.4.50-4+deb11u2	fixed
	bookworm (security), bookworm	9.4.50-4+deb12u3	fixed
	sid, trixie	9.4.56-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version
jetty	source	jessie	(not affected)
jetty	source	(unstable)	(unfixed)
jetty8	source	jessie	(not affected)
jetty8	source	(unstable)	(unfixed)
jetty9	source	stretch	(not affected)
jetty9	source	buster	(not affected)
jetty9	source	(unstable)	9.4.39-1

Notes

[buster] - jetty9 <not-affected> (Vulnerable code introduced later)
[stretch] - jetty9 <not-affected> (Vulnerable code introduced later)
https://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
https://github.com/eclipse/jetty.project/commit/e412c8a15b3334b30193f40412c0fbc47e478e83
Introduced by https://github.com/eclipse/jetty.project/commit/20ef71fe5d709a90c2a5698834fff07b9b4e7ad7 (jetty-9.4.37.v20210219)
[jessie] - jetty <not-affected> (Vulnerable code introduced later)
[jessie] - jetty8 <not-affected> (Vulnerable code introduced later)