CVE-2021-34429: 
Java vulnerability analysis and mitigation

CVE-2021-34429 affects Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5. The vulnerability allows attackers to craft URIs using encoded characters to access the content of the WEB-INF directory and/or bypass security constraints. This is a variation of the vulnerability previously reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5 (GitHub Advisory).

The vulnerability exists due to URI parsing behavior where URIs containing encoded characters (like %u002e) can be used to access protected resources within the WEB-INF directory. For example, a request to /%u002e/WEB-INF/web.xml can retrieve the web.xml file. Similarly, an encoded null character can prevent correct normalization, allowing paths like /.%00/WEB-INF/web.xml to access protected files (GitHub Advisory).

Successful exploitation of this vulnerability could allow attackers to access sensitive information within the WEB-INF directory, which can reveal implementation details of web applications. This could potentially expose configuration files, class files, and other protected resources that should not be directly accessible (GitHub Advisory).

The recommended mitigation is to upgrade to Jetty versions 9.4.43, 10.0.6, or 11.0.6 which contain the fix. As a temporary workaround, Jetty rewrite rules can be deployed to rewrite any request containing encoded dot segments or null characters in the raw request URI to a known not-found resource (GitHub Advisory, NetApp Advisory).

Multiple organizations and projects responded to this vulnerability by updating their Jetty dependencies, including Apache Kafka, Apache ZooKeeper, and Apache HBase. NetApp issued an advisory detailing the impact on their products and provided patches for affected versions (NetApp Advisory).