{ "data_type": "CVE", "data_format": "MITRE", "data_version": "4.0", "CVE_data_meta": { "ID": "CVE-2021-34429", "ASSIGNER": "security@eclipse.org", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "The Eclipse Foundation", "product": { "product_data": [ { "product_name": "Eclipse Jetty", "version": { "version_data": [ { "version_affected": ">=", "version_value": "9.4.37" }, { "version_affected": "<=", "version_value": "9.4.42" }, { "version_affected": ">=", "version_value": "10.0.1" }, { "version_affected": "<=", "version_value": "10.0.5" }, { "version_affected": ">=", "version_value": "11.0.1" }, { "version_affected": "<=", "version_value": "11.0.5" } ] } } ] } } ] } }, "description": { "description_data": [ { "lang": "eng", "value": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5." } ] }, "impact": { "cvss": { "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200" } ] }, { "description": [ { "lang": "eng", "value": "CWE-551" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm", "refsource": "CONFIRM", "url": "https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3Cissues.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3Cissues.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3Cdev.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3Cissues.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3Cissues.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli opened a new issue #11659: Jetty is flagged with CVE-2021-34429", "url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3Ccommits.pulsar.apache.org%3E" }, { "refsource": "MLIST", "name": "[pulsar-commits] 20210813 [GitHub] [pulsar] lhotari opened a new pull request #11660: [Security] Upgrade Jetty to 9.4.43.v20210629", "url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3Ccommits.pulsar.apache.org%3E" }, { "refsource": "MLIST", "name": "[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli closed issue #11659: Jetty is flagged with CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3Ccommits.pulsar.apache.org%3E" }, { "refsource": "MLIST", "name": "[santuario-dev] 20210817 [GitHub] [santuario-xml-security-java] dependabot[bot] opened a new pull request #52: Bump jetty.version from 9.4.42.v20210604 to 9.4.43.v20210629", "url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3Cdev.santuario.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210817 [jira] [Updated] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210817 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210817 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-commits] 20210817 [kafka] branch 2.8 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3Ccommits.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-commits] 20210817 [kafka] branch 2.7 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3Ccommits.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-commits] 20210817 [kafka] branch 3.0 updated: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3Ccommits.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-dev] 20210817 [jira] [Resolved] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3Cdev.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210817 [jira] [Assigned] (KAFKA-13209) Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210818 [GitHub] [kafka] jolshan opened a new pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[kafka-jira] 20210818 [GitHub] [kafka] omkreddy merged pull request #11224: KAFKA-13209: Upgrade jetty-server to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3Cjira.kafka.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210827 [GitHub] [zookeeper] nkalmar commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-commits] 20210901 [zookeeper] branch branch-3.7 updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3Ccommits.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3Ccommits.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429)", "url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3Cnotifications.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3Cissues.zookeeper.apache.org%3E" }, { "refsource": "MLIST", "name": "[hbase-issues] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3Cissues.hbase.apache.org%3E" }, { "refsource": "MLIST", "name": "[hbase-dev] 20210921 [jira] [Created] (HBASE-26292) Update jetty version to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3Cdev.hbase.apache.org%3E" }, { "refsource": "MLIST", "name": "[hbase-issues] 20210921 [jira] [Commented] (HBASE-26292) Update jetty version to fix CVE-2021-34429", "url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3Cissues.hbase.apache.org%3E" }, { "refsource": "MLIST", "name": "[zookeeper-issues] 20211028 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0", "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3Cissues.zookeeper.apache.org%3E" }, { "url": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "refsource": "CONFIRM", "name": "https://security.netapp.com/advisory/ntap-20210819-0006/", "url": "https://security.netapp.com/advisory/ntap-20210819-0006/" }, { "url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "url": "https://www.oracle.com/security-alerts/cpujul2022.html", "refsource": "MISC", "name": "https://www.oracle.com/security-alerts/cpujul2022.html" } ] } }