Issue Overview: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. (CVE-2021-28169) Affected Packages: jetty Note: This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories. Issue Correction: "Run yum update jetty to update your system. " New Packages: noarch: jetty-project-9.0.3-8.amzn2.0.1.noarch jetty-annotations-9.0.3-8.amzn2.0.1.noarch jetty-ant-9.0.3-8.amzn2.0.1.noarch jetty-client-9.0.3-8.amzn2.0.1.noarch jetty-continuation-9.0.3-8.amzn2.0.1.noarch jetty-deploy-9.0.3-8.amzn2.0.1.noarch jetty-http-9.0.3-8.amzn2.0.1.noarch jetty-io-9.0.3-8.amzn2.0.1.noarch jetty-jaas-9.0.3-8.amzn2.0.1.noarch jetty-jaspi-9.0.3-8.amzn2.0.1.noarch jetty-jmx-9.0.3-8.amzn2.0.1.noarch jetty-jndi-9.0.3-8.amzn2.0.1.noarch jetty-jsp-9.0.3-8.amzn2.0.1.noarch jetty-jspc-maven-plugin-9.0.3-8.amzn2.0.1.noarch jetty-maven-plugin-9.0.3-8.amzn2.0.1.noarch jetty-monitor-9.0.3-8.amzn2.0.1.noarch jetty-plus-9.0.3-8.amzn2.0.1.noarch jetty-proxy-9.0.3-8.amzn2.0.1.noarch …Read More
Medium: jetty
