You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /websocket-resources/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.39.v20210325/jetty-server-9.4.39.v20210325.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.39.v20210325/jetty-server-9.4.39.v20210325.jar
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.39.v20210325/jetty-http-9.4.39.v20210325.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.39.v20210325/jetty-http-9.4.39.v20210325.jar
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
CVE-2021-34429 - Medium Severity Vulnerability
Vulnerable Libraries - jetty-server-9.4.39.v20210325.jar, jetty-http-9.4.39.v20210325.jar
jetty-server-9.4.39.v20210325.jar
The core jetty server artifact.
Library home page: https://eclipse.org/jetty
Path to dependency file: /websocket-resources/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.39.v20210325/jetty-server-9.4.39.v20210325.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.39.v20210325/jetty-server-9.4.39.v20210325.jar
Dependency Hierarchy:
jetty-http-9.4.39.v20210325.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.39.v20210325/jetty-http-9.4.39.v20210325.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.39.v20210325/jetty-http-9.4.39.v20210325.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
Publish Date: 2021-07-15
URL: CVE-2021-34429
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-vjv5-gp2w-65vm
Release Date: 2021-07-15
Fix Resolution (org.eclipse.jetty:jetty-server): 9.4.43.v20210629
Direct dependency fix Resolution (io.dropwizard:dropwizard-core): 2.0.24
Fix Resolution (org.eclipse.jetty:jetty-http): 9.4.43.v20210629
Direct dependency fix Resolution (org.eclipse.jetty.websocket:websocket-server): 9.4.43.v20210629
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: