[ZOOKEEPER-4337] CVE-2021-34429 in jetty 9.4.38.v20210224 in zookeeper 3.7.0 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.7.0, 3.8.0
Fix Version/s: 3.5.10, 3.8.0, 3.7.1, 3.6.4
Component/s: security
Labels:

Description

Hi, our security tool detects the following CVE on zookeeper 3.7.0 :

https://nvd.nist.gov/vuln/detail/CVE-2021-34429

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

It is a vulnerability related to jetty jar in version 9.4.38.v20210224.jar.

Here is the security advisory from jetty: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm

The CVE has been fixed in 9.4.43, 10.0.6, 11.0.6. An upgrade to 9.4.43 should be done.

Attachments

Issue Links

is related to

ZOOKEEPER-4390 Backport ZOOKEEPER-4337 for branch-3.5 and branch-3.6

Resolved

ZOOKEEPER-4627 High CVE-2022-2048 in jetty-*-9.4.46.v20220331.jar fixed in 9.4.47

Closed

links to

GitHub Pull Request #1734

Activity

People

Assignee:: Damien Diederen

Reporter:: Dominique Mongelli

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 28/Jul/21 13:50

Updated:: 09/Oct/23 11:20

Resolved:: 01/Sep/21 16:51

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h