Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2021-34429

CVE-2021-34429: Eclipse Jetty Path Traversal Vulnerability

CVE-2021-34429 is a path traversal vulnerability in Eclipse Jetty that allows attackers to access WEB-INF directory content and bypass security constraints using encoded characters. This post covers technical details, affected versions, impact, and mitigation.

Updated:

CVE-2021-34429 Overview

CVE-2021-34429 is an information disclosure vulnerability in Eclipse Jetty affecting versions 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5. Attackers can craft URIs using specific encoded characters to access content within the WEB-INF directory or bypass configured security constraints. The flaw is a variation of CVE-2021-28164 and stems from improper URI normalization in Jetty's request handling. Beyond Jetty itself, the vulnerable code is embedded in numerous downstream products from NetApp and Oracle, broadening the exposure footprint. The weakness is classified under [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor].

Critical Impact

Unauthenticated remote attackers can retrieve sensitive files from WEB-INF (including web.xml and class files) and bypass URI-based security constraints, leading to disclosure of application configuration and intellectual property.

Affected Products

  • Eclipse Jetty 9.4.37 through 9.4.42, 10.0.1 through 10.0.5, and 11.0.1 through 11.0.5
  • NetApp products including E-Series SANtricity OS Controller, SANtricity Web Services, Element Plug-in for vCenter Server, HCI Management Node, Snap Creator Framework, SnapCenter Plug-in, and SolidFire
  • Oracle products including AutoVue for Agile PLM, Communications Cloud Native Core (BSF, SEPP, SCP, UDR), Diameter Signaling Router, Financial Services Crime and Compliance Management Studio, REST Data Services, Retail EFTLink, and Stream Analytics

Discovery Timeline

  • 2021-07-15 - CVE-2021-34429 published to NVD
  • 2021-08-19 - NetApp publishes advisory NTAP-20210819-0006
  • 2022-01 - Oracle addresses the issue in the January 2022 Critical Patch Update
  • 2022-04 - Oracle issues additional fixes in the April 2022 Critical Patch Update
  • 2022-07 - Oracle issues additional fixes in the July 2022 Critical Patch Update
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-34429

Vulnerability Analysis

The vulnerability is a path traversal and security-constraint bypass triggered by URI encoding inconsistencies in Jetty's request parser. Jetty applies security constraints and protected-resource rules (such as blocking access to WEB-INF and META-INF) against the decoded request path. When an attacker introduces specific encoded byte sequences in the URI, Jetty's normalization logic produces a path that bypasses the constraint check while still resolving to the protected location on disk.

This variant follows CVE-2021-28164, where ambiguous URI segments using %2e and similar encodings reached protected directories. CVE-2021-34429 extends the issue by exploiting additional encoded character classes that the prior patch did not fully cover. Successful exploitation reveals deployment descriptors, compiled classes, and embedded credentials staged inside WEB-INF.

Root Cause

The root cause is inconsistent URI canonicalization between the security-constraint evaluator and the static resource handler. Specific encoded characters survive constraint matching but are decoded before file resolution, breaking the security model. Reference: Eclipse Jetty GHSA-vjv5-gp2w-65vm.

Attack Vector

Exploitation requires only a single crafted HTTP request to a network-reachable Jetty endpoint. No authentication or user interaction is needed. The attacker substitutes select characters in the URI with encoded equivalents that defeat the constraint check, then retrieves files such as /WEB-INF/web.xml or compiled servlet classes containing hardcoded secrets. Because Jetty is embedded in many enterprise products, the same request shape works across diverse deployments without product-specific tuning.

No verified public proof-of-concept code is included in this advisory. See the Eclipse Jetty GitHub Security Advisory for technical details on the encoded character sequences involved.

Detection Methods for CVE-2021-34429

Indicators of Compromise

  • HTTP access log entries containing percent-encoded characters in paths that reference WEB-INF or META-INF, such as encoded variants of /WEB-INF/web.xml
  • Successful 200 OK responses to requests targeting deployment descriptors, .class files, or other resources that should be inaccessible
  • Repeated requests from a single source iterating through encoded path variants against the same protected directory
  • Unexpected outbound exfiltration of XML or Java class files immediately following anomalous URI requests

Detection Strategies

  • Inspect web server and reverse proxy logs for URIs containing encoded sequences (%65, %2e, mixed-case % encodings) preceding protected directory names
  • Deploy WAF or IDS signatures that detect non-standard encoding of WEB-INF and META-INF path components
  • Correlate Jetty version banners observed in HTTP responses with the vulnerable version ranges to prioritize at-risk hosts
  • Run authenticated vulnerability scans that fingerprint embedded Jetty in NetApp and Oracle products, since vendor branding hides the underlying version

Monitoring Recommendations

  • Forward Jetty access logs to a centralized SIEM and alert on 200-class responses for any path containing WEB-INF or META-INF
  • Baseline normal URI character distributions per endpoint and alert on statistical anomalies in encoding density
  • Monitor egress traffic from application servers for unusual transfers of small XML or class files

How to Mitigate CVE-2021-34429

Immediate Actions Required

  • Upgrade Eclipse Jetty to 9.4.43, 10.0.6, 11.0.6, or later as soon as feasible
  • Apply the relevant vendor patches for NetApp products per NetApp Advisory NTAP-20210819-0006
  • Apply Oracle Critical Patch Updates from January 2022, April 2022, and July 2022 for affected Oracle products
  • Audit deployed WEB-INF contents and rotate any credentials, API keys, or tokens that may have been disclosed

Patch Information

Eclipse Jetty patched the issue in versions 9.4.43, 10.0.6, and 11.0.6. The fix tightens URI canonicalization so that encoded characters are normalized before security constraint evaluation, ensuring consistent path resolution between constraint matching and resource serving. Downstream products from NetApp and Oracle ship updated Jetty libraries through their respective security advisories.

Workarounds

  • Place a reverse proxy (such as nginx or Apache HTTPD) in front of Jetty and explicitly deny any request path containing WEB-INF or META-INF, including encoded variants, before traffic reaches Jetty
  • Configure Jetty to reject ambiguous URIs by enabling strict URI compliance settings in the HttpConfiguration
  • Restrict network access to administrative and internal Jetty endpoints via firewall or service mesh policy until patches are applied
bash
# Example nginx pre-filter to block encoded WEB-INF access attempts
location ~* (?:%[0-9a-f]{2}|/)(web-inf|meta-inf) {
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne