Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-4337

CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0

    XMLWordPrintableJSON

    Details

      Description

      Hi, our security tool detects the following CVE on zookeeper 3.7.0 :

      https://nvd.nist.gov/vuln/detail/CVE-2021-34429

       

       

      For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

       

      It is a vulnerability related to jetty jar in version 9.4.38.v20210224.jar.

      Here is the security advisory from jetty: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

      The CVE has been fixed in 9.4.43, 10.0.6, 11.0.6. An upgrade to 9.4.43 should be done.

       

       

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                ztzg Damien Diederen
                Reporter:
                dominique Dominique Mongelli
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1.5h
                  1.5h