var-202107-1585
Vulnerability from variot
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Eclipse Jetty Contains an improper authentication vulnerability.Information may be obtained. Pillow is a Python-based image processing library. There is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Eclipse Jetty is an open source, Java-based Web server and Java Servlet container from the Eclipse Foundation. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
===================================================================== Red Hat Security Advisory
Synopsis: Moderate: Red Hat AMQ Broker 7.9.0 release and security update Advisory ID: RHSA-2021:3700-01 Product: Red Hat JBoss AMQ Advisory URL: https://access.redhat.com/errata/RHSA-2021:3700 Issue date: 2021-09-30 Keywords: amq,messaging,integration,broker CVE Names: CVE-2020-13956 CVE-2020-27223 CVE-2021-3425 CVE-2021-3763 CVE-2021-20289 CVE-2021-21290 CVE-2021-21295 CVE-2021-21409 CVE-2021-28163 CVE-2021-28164 CVE-2021-28165 CVE-2021-28169 CVE-2021-29425 CVE-2021-34428 CVE-2021-34429 =====================================================================
- Summary:
Red Hat AMQ Broker 7.9.0 is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Description:
AMQ Broker is a high-performance messaging implementation based on ActiveMQ Artemis. It uses an asynchronous journal for fast message persistence, and supports multiple languages, protocols, and platforms.
This release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red Hat AMQ Broker 7.8.2, and includes security and bug fixes, and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
-
httpclient: apache-httpclient: incorrect handling of malformed authority component in request URIs (CVE-2020-13956)
-
jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS (CVE-2020-27223)
-
resteasy-jaxrs: resteasy: Error message exposes endpoint class information (CVE-2021-20289)
-
netty: Information disclosure via the local system temporary directory (CVE-2021-21290)
-
netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)
-
netty: Request smuggling via content-length header (CVE-2021-21409)
-
jetty-server: jetty: Symlink directory exposes webapp directory contents (CVE-2021-28163)
-
jetty-server: jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)
-
jetty-server: jetty: Resource exhaustion when receiving an invalid large TLS frame (CVE-2021-28165)
-
jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory (CVE-2021-28169)
-
commons-io: apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)
-
broker: Red Hat AMQ Broker: discloses JDBC username and password in the application log file (CVE-2021-3425)
-
jetty-server: jetty: SessionListener can prevent a session from being invalidated breaking logout (CVE-2021-34428)
-
jetty-server: jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)
-
broker: AMQ Broker 7: Incorrect privilege in Management Console (CVE-2021-3763)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link (you must log in to download the update).
- Bugs fixed (https://bugzilla.redhat.com/):
1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs 1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory 1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of "quality" parameters may lead to DoS 1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information 1936629 - CVE-2021-3425 Red Hat AMQ Broker: discloses JDBC username and password in the application log file 1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents 1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF 1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame 1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory 1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout 1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints 2000654 - CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console
- References:
https://access.redhat.com/security/cve/CVE-2020-13956 https://access.redhat.com/security/cve/CVE-2020-27223 https://access.redhat.com/security/cve/CVE-2021-3425 https://access.redhat.com/security/cve/CVE-2021-3763 https://access.redhat.com/security/cve/CVE-2021-20289 https://access.redhat.com/security/cve/CVE-2021-21290 https://access.redhat.com/security/cve/CVE-2021-21295 https://access.redhat.com/security/cve/CVE-2021-21409 https://access.redhat.com/security/cve/CVE-2021-28163 https://access.redhat.com/security/cve/CVE-2021-28164 https://access.redhat.com/security/cve/CVE-2021-28165 https://access.redhat.com/security/cve/CVE-2021-28169 https://access.redhat.com/security/cve/CVE-2021-29425 https://access.redhat.com/security/cve/CVE-2021-34428 https://access.redhat.com/security/cve/CVE-2021-34429 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=jboss.amq.broker&version=7.9.0 https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYVWKK9zjgjWX9erEAQiu0A/+NJe1AtB06jaucFaOVo6/q4A3geYdiNfX aU44bpkaYfOHdYkd2Ec59L3ImNIUCYMxUZIWhNfyUwMKAGxRnj2Q0tzm3O6ZCwcL 3DIVXlJHfrQHN8rZ38rG0bi4l4OnnSV1y2kskqkOITFcv6N0MmyQ8+rzG/m5VHC6 c9IBl0zXGZs+8sXDsXzN7tabdieUmke1FyR1SV/YsR9rnnm1cZJcfJqJcKWeKD0v GMvKjgq6VImt8xAZbaOHWzV3+PfinisPh7XYRabE87EAyMFmy5jWclZrg8UhsaYX DEV2+wis3jgANdAgvNox/7camxSciogKKSTxc8ZTPaok33GeudET5pmVbac9sQsc e/jrTvN+AnHMtGoQQwAHPQH3DMjomzd1vmjV4aI6UfearT0GlkLLMVcn6wp2OQ7w d+yh2QnDGXUHLYCkAcvNVklL8ZGlhxgV9zdhoYVSdiZPXAQNvfCDgNilzMaJKXmF k2sR0BB3wnSG7//dUTbNTbBQw8JpuYesDpUC+JYMWErnFak9MGj0Q+ISfxYE9vC5 LSiCsqNHibsGcA5XpVVvO4q/LM6mwhCozD4WXrCw3xl4n4EWWiTQceF+yYSRtsmn pWcWk56HHAlr5Qs9jRuW90pzyf8X/T9rEmugb62Z7SGSUH/A4xJxLpZJHb4q/whu hBENV2qm+t4= =l+R3 -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Description:
Red Hat AMQ Streams, based on the Apache Kafka project, offers a distributed backbone that allows microservices and other applications to share data with extremely high throughput and extremely low latency.
Security Fix(es):
-
jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)
-
netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)
-
netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way (CVE-2021-37137)
-
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients (CVE-2021-38153)
-
log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):
1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2035951 - CVE-2021-44832 log4j-core: remote code execution via JDBC Appender
5
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202107-1585", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "communications diameter signaling router", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.0.0" }, { "model": "snapcenter plug-in", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "financial services crime and compliance management studio", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.8.3.0" }, { "model": "e-series santricity os controller", "scope": "lte", "trust": 1.0, "vendor": "netapp", "version": "11.70.1" }, { "model": "element plug-in for vcenter server", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "communications cloud native core unified data repository", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.14.0" }, { "model": "jetty", "scope": "lt", "trust": 1.0, "vendor": "eclipse", "version": "9.4.43" }, { "model": "communications cloud native core binding support function", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.10.0" }, { "model": "communications diameter signaling router", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.5.0.2" }, { "model": "jetty", "scope": "lt", "trust": 1.0, "vendor": "eclipse", "version": "11.0.6" }, { "model": "jetty", "scope": "gte", "trust": 1.0, "vendor": "eclipse", "version": "9.4.37" }, { "model": "autovue for agile product lifecycle management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "21.0.2" }, { "model": "stream analytics", "scope": "lt", "trust": 1.0, "vendor": "oracle", "version": "19.1.0.0.6.4" }, { "model": "solidfire", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "jetty", "scope": "gte", "trust": 1.0, "vendor": "eclipse", "version": "11.0.1" }, { "model": "rest data services", "scope": "lt", "trust": 1.0, "vendor": "oracle", "version": "22.1.1" }, { "model": "e-series santricity os controller", "scope": "gte", "trust": 1.0, "vendor": "netapp", "version": "11.0" }, { "model": "stream analytics", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19c" }, { "model": "communications cloud native core security edge protection proxy", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.5.0" }, { "model": "e-series santricity web services", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "financial services crime and compliance management studio", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "8.0.8.2.0" }, { "model": "communications cloud native core service communication proxy", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.14.0" }, { "model": "jetty", "scope": "gte", "trust": 1.0, "vendor": "eclipse", "version": "10.0.1" }, { "model": "hci management node", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "jetty", "scope": "lt", "trust": 1.0, "vendor": "eclipse", "version": "10.0.6" }, { "model": "retail eftlink", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "20.0.1" }, { "model": "snap creator framework", "scope": "eq", "trust": 1.0, "vendor": "netapp", "version": null }, { "model": "e-series santricity os controller software", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "snapcenter plug-in", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "oracle communications cloud native core binding support function", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "oracle communications cloud native core security edge protection proxy", "scope": null, "trust": 0.8, "vendor": "\u30aa\u30e9\u30af\u30eb", "version": null }, { "model": "e-series santricity web services", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "hci management node", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "element plug-in for vcenter server", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "jetty", "scope": null, "trust": 0.8, "vendor": "eclipse", "version": null }, { "model": "solidfire", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null }, { "model": "snap creator framework", "scope": null, "trust": 0.8, "vendor": "netapp", "version": null } ], "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "11.0.6", "versionStartIncluding": "11.0.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "10.0.6", "versionStartIncluding": "10.0.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "9.4.43", "versionStartIncluding": "9.4.37", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:netapp:snap_creator_framework:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_web_services:-:*:*:*:*:web_services_proxy:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:snapcenter_plug-in:-:*:*:*:*:vmware_vsphere:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "11.70.1", "versionStartIncluding": "11.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:netapp:element_plug-in_for_vcenter_server:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:autovue_for_agile_product_lifecycle_management:21.0.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:retail_eftlink:20.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.5.0.2", "versionStartIncluding": "8.0.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.14.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.5.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*", "cpe_name": [], "versionEndExcluding": "22.1.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:stream_analytics:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "19.1.0.0.6.4", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:stream_analytics:19c:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2021-34429" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "164346" }, { "db": "PACKETSTORM", "id": "165564" } ], "trust": 0.2 }, "cve": "CVE-2021-34429", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "Low", "accessVector": "Network", "authentication": "None", "author": "NVD", "availabilityImpact": "None", "baseScore": 5.0, "confidentialityImpact": "Partial", "exploitabilityScore": null, "id": "CVE-2021-34429", "impactScore": null, "integrityImpact": "None", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "Medium", "trust": 0.9, "userInteractionRequired": null, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 10.0, "id": "VHN-394611", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:L/AU:N/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "exploitabilityScore": 3.9, "impactScore": 1.4, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 2.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, { "attackComplexity": "Low", "attackVector": "Network", "author": "OTHER", "availabilityImpact": "None", "baseScore": 5.3, "baseSeverity": "Medium", "confidentialityImpact": "Low", "exploitabilityScore": null, "id": "JVNDB-2021-009832", "impactScore": null, "integrityImpact": "None", "privilegesRequired": "None", "scope": "Unchanged", "trust": 0.8, "userInteraction": "None", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0" } ], "severity": [ { "author": "NVD", "id": "CVE-2021-34429", "trust": 1.8, "value": "MEDIUM" }, { "author": "emo@eclipse.org", "id": "CVE-2021-34429", "trust": 1.0, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202107-1094", "trust": 0.6, "value": "MEDIUM" }, { "author": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6, "value": "MEDIUM" }, { "author": "VULHUB", "id": "VHN-394611", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2021-34429", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-394611" }, { "db": "VULMON", "id": "CVE-2021-34429" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "NVD", "id": "CVE-2021-34429" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 \u0026 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Eclipse Jetty Contains an improper authentication vulnerability.Information may be obtained. Pillow is a Python-based image processing library. \nThere is currently no information about this vulnerability, please feel free to follow CNNVD or manufacturer announcements. Eclipse Jetty is an open source, Java-based Web server and Java Servlet container from the Eclipse Foundation. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Moderate: Red Hat AMQ Broker 7.9.0 release and security update\nAdvisory ID: RHSA-2021:3700-01\nProduct: Red Hat JBoss AMQ\nAdvisory URL: https://access.redhat.com/errata/RHSA-2021:3700\nIssue date: 2021-09-30\nKeywords: amq,messaging,integration,broker\nCVE Names: CVE-2020-13956 CVE-2020-27223 CVE-2021-3425 \n CVE-2021-3763 CVE-2021-20289 CVE-2021-21290 \n CVE-2021-21295 CVE-2021-21409 CVE-2021-28163 \n CVE-2021-28164 CVE-2021-28165 CVE-2021-28169 \n CVE-2021-29425 CVE-2021-34428 CVE-2021-34429 \n=====================================================================\n\n1. Summary:\n\nRed Hat AMQ Broker 7.9.0 is now available from the Red Hat Customer Portal. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Description:\n\nAMQ Broker is a high-performance messaging implementation based on ActiveMQ\nArtemis. It uses an asynchronous journal for fast message persistence, and\nsupports multiple languages, protocols, and platforms. \n\nThis release of Red Hat AMQ Broker 7.9.0 serves as a replacement for Red\nHat AMQ Broker 7.8.2, and includes security and bug fixes, and\nenhancements. For further information, refer to the release notes linked to\nin the References section. \n\nSecurity Fix(es):\n\n* httpclient: apache-httpclient: incorrect handling of malformed authority\ncomponent in request URIs (CVE-2020-13956)\n\n* jetty: request containing multiple Accept headers with a large number of\n\"quality\" parameters may lead to DoS (CVE-2020-27223)\n\n* resteasy-jaxrs: resteasy: Error message exposes endpoint class\ninformation (CVE-2021-20289)\n\n* netty: Information disclosure via the local system temporary directory\n(CVE-2021-21290)\n\n* netty: possible request smuggling in HTTP/2 due missing validation\n(CVE-2021-21295)\n\n* netty: Request smuggling via content-length header (CVE-2021-21409)\n\n* jetty-server: jetty: Symlink directory exposes webapp directory contents\n(CVE-2021-28163)\n\n* jetty-server: jetty: Ambiguous paths can access WEB-INF (CVE-2021-28164)\n\n* jetty-server: jetty: Resource exhaustion when receiving an invalid large\nTLS frame (CVE-2021-28165)\n\n* jetty-server: jetty: requests to the ConcatServlet and WelcomeFilter are\nable to access protected resources within the WEB-INF directory\n(CVE-2021-28169)\n\n* commons-io: apache-commons-io: Limited path traversal in Apache Commons\nIO 2.2 to 2.6 (CVE-2021-29425)\n\n* broker: Red Hat AMQ Broker: discloses JDBC username and password in the\napplication log file (CVE-2021-3425)\n\n* jetty-server: jetty: SessionListener can prevent a session from being\ninvalidated breaking logout (CVE-2021-34428)\n\n* jetty-server: jetty: crafted URIs allow bypassing security constraints\n(CVE-2021-34429)\n\n* broker: AMQ Broker 7: Incorrect privilege in Management Console\n(CVE-2021-3763)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n3. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). \n\n4. Bugs fixed (https://bugzilla.redhat.com/):\n\n1886587 - CVE-2020-13956 apache-httpclient: incorrect handling of malformed authority component in request URIs\n1927028 - CVE-2021-21290 netty: Information disclosure via the local system temporary directory\n1934116 - CVE-2020-27223 jetty: request containing multiple Accept headers with a large number of \"quality\" parameters may lead to DoS\n1935927 - CVE-2021-20289 resteasy: Error message exposes endpoint class information\n1936629 - CVE-2021-3425 Red Hat AMQ Broker: discloses JDBC username and password in the application log file\n1937364 - CVE-2021-21295 netty: possible request smuggling in HTTP/2 due missing validation\n1944888 - CVE-2021-21409 netty: Request smuggling via content-length header\n1945710 - CVE-2021-28163 jetty: Symlink directory exposes webapp directory contents\n1945712 - CVE-2021-28164 jetty: Ambiguous paths can access WEB-INF\n1945714 - CVE-2021-28165 jetty: Resource exhaustion when receiving an invalid large TLS frame\n1948752 - CVE-2021-29425 apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6\n1971016 - CVE-2021-28169 jetty: requests to the ConcatServlet and WelcomeFilter are able to access protected resources within the WEB-INF directory\n1974891 - CVE-2021-34428 jetty: SessionListener can prevent a session from being invalidated breaking logout\n1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints\n2000654 - CVE-2021-3763 AMQ Broker 7: Incorrect privilege in Management Console\n\n5. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-13956\nhttps://access.redhat.com/security/cve/CVE-2020-27223\nhttps://access.redhat.com/security/cve/CVE-2021-3425\nhttps://access.redhat.com/security/cve/CVE-2021-3763\nhttps://access.redhat.com/security/cve/CVE-2021-20289\nhttps://access.redhat.com/security/cve/CVE-2021-21290\nhttps://access.redhat.com/security/cve/CVE-2021-21295\nhttps://access.redhat.com/security/cve/CVE-2021-21409\nhttps://access.redhat.com/security/cve/CVE-2021-28163\nhttps://access.redhat.com/security/cve/CVE-2021-28164\nhttps://access.redhat.com/security/cve/CVE-2021-28165\nhttps://access.redhat.com/security/cve/CVE-2021-28169\nhttps://access.redhat.com/security/cve/CVE-2021-29425\nhttps://access.redhat.com/security/cve/CVE-2021-34428\nhttps://access.redhat.com/security/cve/CVE-2021-34429\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=jboss.amq.broker\u0026version=7.9.0\nhttps://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4\n\n6. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2021 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYVWKK9zjgjWX9erEAQiu0A/+NJe1AtB06jaucFaOVo6/q4A3geYdiNfX\naU44bpkaYfOHdYkd2Ec59L3ImNIUCYMxUZIWhNfyUwMKAGxRnj2Q0tzm3O6ZCwcL\n3DIVXlJHfrQHN8rZ38rG0bi4l4OnnSV1y2kskqkOITFcv6N0MmyQ8+rzG/m5VHC6\nc9IBl0zXGZs+8sXDsXzN7tabdieUmke1FyR1SV/YsR9rnnm1cZJcfJqJcKWeKD0v\nGMvKjgq6VImt8xAZbaOHWzV3+PfinisPh7XYRabE87EAyMFmy5jWclZrg8UhsaYX\nDEV2+wis3jgANdAgvNox/7camxSciogKKSTxc8ZTPaok33GeudET5pmVbac9sQsc\ne/jrTvN+AnHMtGoQQwAHPQH3DMjomzd1vmjV4aI6UfearT0GlkLLMVcn6wp2OQ7w\nd+yh2QnDGXUHLYCkAcvNVklL8ZGlhxgV9zdhoYVSdiZPXAQNvfCDgNilzMaJKXmF\nk2sR0BB3wnSG7//dUTbNTbBQw8JpuYesDpUC+JYMWErnFak9MGj0Q+ISfxYE9vC5\nLSiCsqNHibsGcA5XpVVvO4q/LM6mwhCozD4WXrCw3xl4n4EWWiTQceF+yYSRtsmn\npWcWk56HHAlr5Qs9jRuW90pzyf8X/T9rEmugb62Z7SGSUH/A4xJxLpZJHb4q/whu\nhBENV2qm+t4=\n=l+R3\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. Description:\n\nRed Hat AMQ Streams, based on the Apache Kafka project, offers a\ndistributed backbone that allows microservices and other applications to\nshare data with extremely high throughput and extremely low latency. \n\nSecurity Fix(es):\n\n* jetty: crafted URIs allow bypassing security constraints (CVE-2021-34429)\n\n* netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for\ndecompressed data (CVE-2021-37136)\n\n* netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may\nbuffer skippable chunks in an unnecessary way (CVE-2021-37137)\n\n* Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients\n(CVE-2021-38153)\n\n* log4j-core: remote code execution via JDBC Appender (CVE-2021-44832)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. Bugs fixed (https://bugzilla.redhat.com/):\n\n1985223 - CVE-2021-34429 jetty: crafted URIs allow bypassing security constraints\n2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn\u0027t allow setting size restrictions for decompressed data\n2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn\u0027t restrict chunk length and may buffer skippable chunks in an unnecessary way\n2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients\n2035951 - CVE-2021-44832 log4j-core: remote code execution via JDBC Appender\n\n5", "sources": [ { "db": "NVD", "id": "CVE-2021-34429" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "VULHUB", "id": "VHN-394611" }, { "db": "VULMON", "id": "CVE-2021-34429" }, { "db": "PACKETSTORM", "id": "164346" }, { "db": "PACKETSTORM", "id": "165564" } ], "trust": 2.52 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-394611", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-394611" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2021-34429", "trust": 3.6 }, { "db": "PACKETSTORM", "id": "165564", "trust": 0.8 }, { "db": "JVNDB", "id": "JVNDB-2021-009832", "trust": 0.8 }, { "db": "CNNVD", "id": "CNNVD-202107-1094", "trust": 0.7 }, { "db": "EXPLOIT-DB", "id": "50478", "trust": 0.7 }, { "db": "PACKETSTORM", "id": "164346", "trust": 0.7 }, { "db": "CS-HELP", "id": "SB2022012750", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072013", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022042520", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021093016", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022072091", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2022060717", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.3256", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2021.2879", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.4174", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.0195", "trust": 0.6 }, { "db": "AUSCERT", "id": "ESB-2022.3156", "trust": 0.6 }, { "db": "CS-HELP", "id": "SB2021041363", "trust": 0.6 }, { "db": "CNNVD", "id": "CNNVD-202104-975", "trust": 0.6 }, { "db": "VULHUB", "id": "VHN-394611", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2021-34429", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-394611" }, { "db": "VULMON", "id": "CVE-2021-34429" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "PACKETSTORM", "id": "164346" }, { "db": "PACKETSTORM", "id": "165564" }, { "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "id": "VAR-202107-1585", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-394611" } ], "trust": 0.01 }, "last_update_date": "2024-02-20T00:22:37.524000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Oracle\u00a0Critical\u00a0Patch\u00a0Update\u00a0Advisory\u00a0-\u00a0April\u00a02022 Oracle\u00a0Critical\u00a0Patch\u00a0Update", "trust": 0.8, "url": "https://github.com/eclipse/jetty.project/security/advisories/ghsa-vjv5-gp2w-65vm" }, { "title": "Eclipse Jetty Repair measures for information disclosure vulnerabilities", "trust": 0.6, "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=158187" }, { "title": "Debian CVElist Bug Report Logs: jetty9: CVE-2021-34429", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=958d7f11470eb2595bad01a01f3abf85" }, { "title": "Red Hat: CVE-2021-34429", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database\u0026qid=cve-2021-34429" }, { "title": "CVE-2021-34429", "trust": 0.1, "url": "https://github.com/coldfusionx/cve-2021-34429 " }, { "title": "JETTY CVE-2021-34429", "trust": 0.1, "url": "https://github.com/cwh945/jetty-poc " } ], "sources": [ { "db": "VULMON", "id": "CVE-2021-34429" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "CNNVD", "id": "CNNVD-202107-1094" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "NVD-CWE-Other", "trust": 1.0 }, { "problemtype": "Bad authentication (CWE-863) [NVD Evaluation ]", "trust": 0.8 }, { "problemtype": "CWE-863", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-394611" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 2.3, "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "trust": 1.7, "url": "https://github.com/eclipse/jetty.project/security/advisories/ghsa-vjv5-gp2w-65vm" }, { "trust": 1.7, "url": "https://security.netapp.com/advisory/ntap-20210819-0006/" }, { "trust": 1.7, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 1.7, "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "trust": 1.0, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-34429" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857%40%3ccommits.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398%40%3ccommits.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1%40%3cdev.santuario.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c%40%3ccommits.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e%40%3cdev.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c%40%3cdev.hbase.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe%40%3ccommits.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3cdev.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46%40%3cissues.hbase.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64%40%3ccommits.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8%40%3ccommits.pulsar.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1%40%3ccommits.pulsar.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500%40%3ccommits.pulsar.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46%40%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b%40%3cissues.zookeeper.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6%40%3cjira.kafka.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba%40%3cissues.hbase.apache.org%3e" }, { "trust": 0.8, "url": "https://lists.apache.org/thread/t2ypp3t3v7n1p12h4yclp8fopf7dmryb" }, { "trust": 0.8, "url": "https://lists.apache.org/thread/x07thv8bylkgxpqkmp2wvrj1po2dm8mq" }, { "trust": 0.8, "url": "https://lists.apache.org/thread/lyt8zcojbszzo2xnyzkm695rh6w26mb8" }, { "trust": 0.8, "url": "https://lists.apache.org/thread/0w67910oxj7t53c0ql56h7744jkzvgxf" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r721ab6a5fa8d45bec76714b674f5d4caed2ebfeca69ad1d6d4caae6c@%3cdev.hbase.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/re850203ef8700cb826534dd4a1cb9f5b07bb8f6f973b39ff7838d3ba@%3cissues.hbase.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r833a4c8bdbbfeb8a2cd38238e7b59f83edd5c1a0e508b587fc551a46@%3cissues.hbase.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r9d245c6c884bbc804a472116d730c1a01676bf24f93206a34923fc64@%3ccommits.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r02f940c27e997a277ff14e79e84551382e1081e8978b417e0c2b0857@%3ccommits.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r756443e9d50af7e8c3df82e2c45105f452c8e8195ddbc0c00f58d5fe@%3ccommits.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r4727d282b5c2d951057845a46065d59f6e33132edc0a14f41c26b01e@%3cdev.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r46900f74dbb7d168aeac43bf0e7f64825376bb7eb74d31a5b33344ce@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r679d96f981d4c92724090ed2d5e8565a1d655a72bb315550489f052e@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/re01890eef49d4201018f2c97e26536e3e75f441ecdbcf91986c3bc17@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/re5e9bb535db779506013ef8799dc2a299e77cdad6668aa94c456dba6@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r6e6f50c1ce1fb592cb43e913f5be23df104d50751465f8f1952ace0c@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/re3de01414ccf682fe0951205f806dd8e94440798fd64c55a4941de3e@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r74fdc446df551fe89a0a16957a1bfdaad19380e0c1afd30625685a9c@%3cjira.kafka.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r9e6158d72ef25077c2dc59fbddade2eacf7d259a2556c97a989f2fe8@%3ccommits.pulsar.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/rc26807be68748b3347decdcd03ae183622244b0b4cb09223d4b7e500@%3ccommits.pulsar.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/rb33d65c3e5686f2e3b9bb8a032a44163b2f2ad9d31a8727338f213c1@%3ccommits.pulsar.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r3aefe613abce594c71ace50088d2529bbde65d08b8e7ff2c2723aaa1@%3cdev.santuario.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r44ea39ca8110de7353bfec88f58aa3aa58a42bb324b8772512ee190c@%3ccommits.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r0626f279ebf65506110a897e3a57ccd4072803ee5434b2503e070398@%3ccommits.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82@%3cdev.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r90e7b4c42a96d74c219e448bee6a329ab0cd3205c44b63471d96c3ab@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/rcea249eb7a0d243f21696e4985de33f3780399bf7b31ea1f6d489b8b@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36@%3cissues.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r46f748c1dc9cf9b6c1c18f6b5bfc3a869907f68f72e17666f2f30f24@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r029c0c6833c8bb6acb094733fd7b75029d633f47a92f1c9d14391fc0@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r2e32390cb7aedb39069e5b18aa130ca53e766258518faee63c31d3ea@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r5678d994d4dd8e7c838eed3bbc1a83a7f6bc62724b0cce67e8892a45@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/rcb157f55b9ae41b3076801de927c6fca1669c6d8eaf11a9df5dbeb46@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.7, "url": "https://lists.apache.org/thread.html/r48a93f2bc025acd7c7e341ed3864bfdeb75f0c768d41bc247e1a1f63@%3cnotifications.zookeeper.apache.org%3e" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/165564/red-hat-security-advisory-2022-0138-06.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072013" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.0195" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022060717" }, { "trust": 0.6, "url": "https://packetstormsecurity.com/files/164346/red-hat-security-advisory-2021-3700-01.html" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022042520" }, { "trust": 0.6, "url": "https://www.ibm.com/support/pages/node/6527232" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022072091" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021093016" }, { "trust": 0.6, "url": "https://www.exploit-db.com/exploits/50478" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.2879" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.4174" }, { "trust": 0.6, "url": "https://vigilance.fr/vulnerability/eclipse-jetty-information-disclosure-via-web-inf-directory-access-35918" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2021.3256" }, { "trust": 0.6, "url": "https://www.auscert.org.au/bulletins/esb-2022.3156" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2022012750" }, { "trust": 0.6, "url": "https://www.cybersecurity-help.cz/vdb/sb2021041363" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-34429" }, { "trust": 0.2, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.2, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.2, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.2, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2021:3700" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_amq/2021.q4" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-28163" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-27223" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28165" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28164" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-29425" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-20289" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-34428" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3425" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21295" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-21290" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-28169" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-29425" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-21295" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.amq.broker\u0026version=7.9.0" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21409" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28163" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-21409" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-27223" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3425" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-13956" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-3763" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-34428" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-3763" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-28164" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13956" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-21290" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-28169" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-20289" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-28165" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37136" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-44832" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-37137" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-37137" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-44832" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-37136" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-38153" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.amq.streams\u0026version=2.0.0" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:0138" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-38153" } ], "sources": [ { "db": "VULHUB", "id": "VHN-394611" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "PACKETSTORM", "id": "164346" }, { "db": "PACKETSTORM", "id": "165564" }, { "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-394611" }, { "db": "VULMON", "id": "CVE-2021-34429" }, { "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "db": "PACKETSTORM", "id": "164346" }, { "db": "PACKETSTORM", "id": "165564" }, { "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "db": "CNNVD", "id": "CNNVD-202104-975" }, { "db": "NVD", "id": "CVE-2021-34429" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2021-07-15T00:00:00", "db": "VULHUB", "id": "VHN-394611" }, { "date": "2021-07-15T00:00:00", "db": "VULMON", "id": "CVE-2021-34429" }, { "date": "2022-05-31T00:00:00", "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "date": "2021-09-30T16:39:42", "db": "PACKETSTORM", "id": "164346" }, { "date": "2022-01-14T15:29:02", "db": "PACKETSTORM", "id": "165564" }, { "date": "2021-07-15T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "date": "2021-04-13T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2021-07-15T17:15:08.637000", "db": "NVD", "id": "CVE-2021-34429" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-10-27T00:00:00", "db": "VULHUB", "id": "VHN-394611" }, { "date": "2023-11-07T00:00:00", "db": "VULMON", "id": "CVE-2021-34429" }, { "date": "2022-05-31T08:12:00", "db": "JVNDB", "id": "JVNDB-2021-009832" }, { "date": "2022-10-28T00:00:00", "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "date": "2021-04-14T00:00:00", "db": "CNNVD", "id": "CNNVD-202104-975" }, { "date": "2023-11-07T03:35:59.680000", "db": "NVD", "id": "CVE-2021-34429" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "CNNVD", "id": "CNNVD-202107-1094" } ], "trust": 0.6 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Eclipse\u00a0Jetty\u00a0 Authentication Vulnerability in Microsoft", "sources": [ { "db": "JVNDB", "id": "JVNDB-2021-009832" } ], "trust": 0.8 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "other", "sources": [ { "db": "CNNVD", "id": "CNNVD-202107-1094" }, { "db": "CNNVD", "id": "CNNVD-202104-975" } ], "trust": 1.2 } }
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.