CVE-2021-28169: 
Java vulnerability analysis and mitigation

CVE-2021-28169 affects Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2. The vulnerability allows requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example, a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file (GitHub Advisory, CVE Mitre).

The vulnerability occurs because both ConcatServlet and WelcomeFilter decode the supplied path to verify it is not within the WEB-INF or META-INF directories. The decoded path is then used to call RequestDispatcher which also performs path decoding. This double decoding allows paths with a doubly encoded WEB-INF to bypass the security check. The vulnerability has a CVSS v3.1 base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NetApp Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information regarding the implementation of a web application. Attackers can access protected resources within the WEB-INF directory, potentially revealing configuration details and other sensitive application data (GitHub Advisory, NetApp Advisory).

The vulnerability has been fixed in Jetty versions 9.4.41, 10.0.3, and 11.0.3. If updating to the latest version is not immediately possible, users can deploy their own version of the ConcatServlet and/or the WelcomeFilter by using the code from the latest version of Jetty (GitHub Advisory).