CVE-2021-28169: Eclipse Jetty Information Disclosure Flaw

CVE-2021-28169 Overview

CVE-2021-28169 is an information disclosure vulnerability [CWE-200] in Eclipse Jetty affecting versions <= 9.4.40, <= 10.0.2, and <= 11.0.2. The flaw resides in the ConcatServlet, which fails to properly normalize doubly encoded path segments. Attackers can craft requests containing doubly encoded paths to access protected resources within the WEB-INF directory. A request such as /concat?/%2557EB-INF/web.xml returns the web.xml deployment descriptor, exposing application configuration data, servlet mappings, and other implementation details useful for follow-on attacks.

Critical Impact

Unauthenticated remote attackers can retrieve sensitive deployment descriptors and configuration files from WEB-INF, revealing internal application structure and aiding further compromise.

Affected Products

• Eclipse Jetty versions <= 9.4.40, <= 10.0.2, and <= 11.0.2
• Debian Linux 9 and 10; Oracle Communications Cloud Native Core Policy 1.14.0; Oracle REST Data Services
• NetApp Active IQ Unified Manager, HCI, Management Services for Element Software, and Snap Creator Framework

Discovery Timeline

• 2021-06-09 - CVE-2021-28169 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-28169

Vulnerability Analysis

The vulnerability is a path traversal and access control bypass in Jetty's ConcatServlet, a utility servlet historically used to concatenate multiple static resources into a single response. The servlet decodes URL-encoded path parameters once before evaluating whether the requested resource lies within the protected WEB-INF namespace. When a path is doubly encoded, the first decode pass produces a still-encoded string that bypasses the protection check, while a subsequent decode by the resource loader resolves the path to a sensitive file.

The practical consequence is unauthorized read access to web.xml, custom configuration files, and any other resource inside WEB-INF. These files frequently contain servlet definitions, filter chains, authentication realm references, datasource JNDI names, and library version information. Attackers use this disclosure to map the application, identify additional vulnerable components, and refine attacks against downstream systems. The EPSS data indicates active interest from threat actors, with the score reflecting a high relative likelihood of exploitation attempts.

Root Cause

The root cause is improper canonicalization of percent-encoded input. The ConcatServlet performs a single URL decode and then compares the result against the WEB-INF prefix to enforce access control. A doubly encoded segment such as %2557 decodes once to %57, which does not match WEB-INF during the check, but is later decoded by the static resource handler to the literal W, allowing access to /WEB-INF/web.xml.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP GET request to the ConcatServlet endpoint with a doubly encoded path parameter pointing at WEB-INF resources. Exploitation is possible only when the ConcatServlet is explicitly mapped in the target application's deployment descriptor, since it is not enabled by default. A representative request pattern is GET /concat?/%2557EB-INF/web.xml, which returns the file contents in the HTTP response body.

Detection Methods for CVE-2021-28169

Indicators of Compromise

• HTTP request logs containing %2557, %2545, %2542, or other doubly encoded sequences resolving to WEB-INF or META-INF
• Successful 200 OK responses to /concat endpoints returning XML or properties content
• Requests targeting web.xml, jetty-web.xml, or other deployment descriptor files

Detection Strategies

• Inspect web server access logs for concat path patterns combined with double-encoded segments and alert on matches
• Deploy WAF rules that decode request paths recursively before applying allow-list checks against WEB-INF and META-INF
• Correlate outbound reconnaissance scans with subsequent targeted requests to Jetty-hosted applications

Monitoring Recommendations

• Centralize Jetty access and request logs to a SIEM or data lake for retrospective hunting against doubly encoded payloads
• Monitor for anomalous 200-response sizes on /concat endpoints, which often indicate successful file retrieval
• Track Jetty version inventory across production assets to flag systems still running affected releases

How to Mitigate CVE-2021-28169

Immediate Actions Required

• Upgrade Eclipse Jetty to versions 9.4.41, 10.0.3, 11.0.3, or later as published in the Eclipse Jetty GitHub Security Advisory
• Audit application web.xml files for any active mapping of org.eclipse.jetty.servlets.ConcatServlet and remove it if not strictly required
• Apply downstream vendor patches from Debian DSA-4949, the NetApp Security Advisory, and Oracle Critical Patch Updates for October 2021, January 2022, and April 2022

Patch Information

Eclipse fixed the issue by enforcing strict path canonicalization in the ConcatServlet before access control evaluation. The fix rejects requests whose decoded paths resolve into WEB-INF or META-INF. Patched versions are Jetty 9.4.41, 10.0.3, and 11.0.3. Downstream packages from Debian, NetApp, and Oracle ship the corrected Jetty libraries through their respective security advisories.

Workarounds

• Unmap the ConcatServlet from web.xml if upgrade is not immediately feasible, since the servlet is not enabled by default
• Configure a reverse proxy or WAF rule that blocks any request path containing %25 followed by hex characters that would decode to a slash, backslash, or WEB-INF substring
• Restrict access to administrative and utility endpoints using network-level controls or authentication filters at the proxy layer

# Example WAF rule (ModSecurity) blocking doubly encoded WEB-INF access
SecRule REQUEST_URI "@rx (?i)%25(?:57|77)%25?(?:45|65)%25?(?:42|62)" \
    "id:1028169,phase:1,deny,status:403,log,\
    msg:'CVE-2021-28169 Jetty ConcatServlet double-encoded WEB-INF access attempt'"