In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
| Vulnerable Product | Search on Vulmon | Subscribe to Product |
|---|---|---|
eclipse jetty 9.4.37 |
||
eclipse jetty 9.4.38 |
||
netapp santricity cloud connector - |
||
netapp snapcenter - |
||
netapp e-series performance analyzer - |
||
netapp e-series santricity web services - |
||
netapp virtual storage console |
||
netapp storage replication adapter for clustered data ontap |
||
netapp vasa provider for clustered data ontap |
||
netapp cloud manager - |
||
netapp snapcenter plug-in - |
||
netapp e-series santricity os controller |
||
netapp element plug-in for vcenter server - |
||
oracle banking digital experience 20.1 |
||
oracle autovue for agile product lifecycle management 21.0.2 |
||
oracle siebel core - automation |
||
oracle communications session route manager |
||
oracle banking digital experience 21.1 |
||
oracle banking apis 20.1 |
||
oracle banking apis 21.1 |
Vulmon