Jetty ConcatServlet Information Disclosure (CVE-2021-28169)
Description
Jetty's ConcatServlet, a utility servlet designed to concatenate multiple static resources into a single response, contains a path traversal vulnerability (CVE-2021-28169). Attackers can exploit this flaw by crafting malicious requests with special character sequences to bypass access controls and retrieve protected resources that should not be publicly accessible. This vulnerability affects applications that have deployed and enabled the ConcatServlet component.
Remediation
Upgrade Jetty to a patched version that addresses CVE-2021-28169. Specifically, update to Jetty version 9.4.41, 10.0.3, or 11.0.3 or later, depending on your major version branch. If immediate upgrading is not feasible, consider disabling or removing the ConcatServlet from your web application configuration if it is not essential to your application's functionality. Review your web.xml or programmatic servlet mappings to remove ConcatServlet declarations:
<!-- Remove or comment out ConcatServlet configuration --> <servlet> <servlet-name>concat</servlet-name> <servlet-class>org.eclipse.jetty.servlets.ConcatServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>concat</servlet-name> <url-pattern>*.concat</url-pattern> </servlet-mapping>
After remediation, verify that protected resources cannot be accessed through concatenation requests.