cve/2021/CVE-2021-28169.md

### [CVE-2021-28169](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28169)
![](https://img.shields.io/static/v1?label=Product&message=Eclipse%20Jetty&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3C%3D%209.4.40%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-200&color=brighgreen)

### Description

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

### POC

#### Reference
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html

#### Github
- https://github.com/20142995/Goby
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/Awrrays/FrameVul
- https://github.com/CLincat/vulcat
- https://github.com/HimmelAward/Goby_POC
- https://github.com/Threekiii/Awesome-POC
- https://github.com/Threekiii/Vulhub-Reproduce
- https://github.com/Z0fhack/Goby_POC
- https://github.com/antonycc/ondemand-neo4j
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/bigblackhat/oFx
- https://github.com/m3n0sd0n4ld/uCVE
- https://github.com/nu1r/yak-module-Nu
- https://github.com/openx-org/BLEN
- https://github.com/pen4uin/awesome-vulnerability-research
- https://github.com/pen4uin/vulnerability-research
- https://github.com/pen4uin/vulnerability-research-list