What is CVE-2021-34429?

CVE-2021-34429 is a medium-severity vulnerability in The Eclipse Foundation Jetty, classified under Information Disclosure. CVSS score: 5.3/10. Published 2021-07-15.

How severe is CVE-2021-34429?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Is CVE-2021-34429 known to be exploited?

29 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in The Eclipse Foundation Jetty

CVE-2021-34429

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the v…

Vulnerability class: Information Disclosure

EPSS: 0.938 (99.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N.

Affected products

The Eclipse Foundation Jetty — versions 9.4.37, unspecified, 10.0.1

Weakness classification (CWE)

Public proof-of-concept exploits

References

github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm (x_refsource_CONFIRM)
[zookeeper-issues] 20210728 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 (mailing-list, x_refsource_MLIST)
[zookeeper-issues] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 (mailing-list, x_refsource_MLIST)
[zookeeper-dev] 20210728 [jira] [Created] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 (mailing-list, x_refsource_MLIST)
[zookeeper-issues] 20210805 [jira] [Assigned] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 (mailing-list, x_refsource_MLIST)
[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4337) CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 (mailing-list, x_refsource_MLIST)
[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429) (mailing-list, x_refsource_MLIST)
[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1734: ZOOKEEPER-4337: Bump jetty to 9.4.43.v20210629 (avoids CVE-2021-34429) (mailing-list, x_refsource_MLIST)
[pulsar-commits] 20210813 [GitHub] [pulsar] eolivelli opened a new issue #11659: Jetty is flagged with CVE-2021-34429 (mailing-list, x_refsource_MLIST)
[pulsar-commits] 20210813 [GitHub] [pulsar] lhotari opened a new pull request #11660: [Security] Upgrade Jetty to 9.4.43.v20210629 (mailing-list, x_refsource_MLIST)

Frequently asked questions

What is CVE-2021-34429?: CVE-2021-34429 is a medium-severity vulnerability in The Eclipse Foundation Jetty, classified under Information Disclosure. CVSS score: 5.3/10. Published 2021-07-15.
How severe is CVE-2021-34429?: Medium severity. CVSS v3 base score is 5.3 out of 10.
Is CVE-2021-34429 known to be exploited?: 29 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.