This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Eclipse Jetty allows attackers to bypass security constraints using encoded URIs. π **Consequences**: Sensitive files in the `WEB-INF` directory can be disclosed, leading to information leakage.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **Root Cause**: CWE-200 (Information Exposure). The flaw lies in improper authorization handling where encoded characters trick the server into revealing protected content.
π **Public Exploits**: YES. Multiple PoCs exist on GitHub (e.g., ColdFusionX, Nuclei templates). Wild exploitation is highly feasible due to simple URI encoding tricks.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: - Scan for Jetty versions listed above. - Use Nuclei templates for CVE-2021-34429. - Test if encoded URIs access `/WEB-INF/` paths. - Check for similar patterns to CVE-2021-28164.
Q8Is it fixed officially? (Patch/Mitigation)
β **Official Fix**: YES. The vendor released patches.β¦
π οΈ **No Patch Workaround**: - Implement WAF rules to block encoded URI patterns targeting `WEB-INF`. - Restrict direct access to `WEB-INF` at the reverse proxy level (Nginx/Apache). - Disable unnecessary Jetty features.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: HIGH. CVSS Score indicates easy remote exploitation with data leakage impact. Immediate patching or WAF mitigation is recommended for all affected instances.