Jetty Information Disclosure (CVE-2021-34429)
Description
CVE-2021-34429 is a URI normalization vulnerability in Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5, and 11.0.1-11.0.5. The flaw allows attackers to bypass security constraints by crafting malicious URIs that are incorrectly normalized, enabling unauthorized access to protected resources that should be restricted by web application security configurations.
Remediation
Upgrade Eclipse Jetty to a patched version immediately:
• For Jetty 9.4.x: Upgrade to version 9.4.43 or later
• For Jetty 10.0.x: Upgrade to version 10.0.6 or later
• For Jetty 11.0.x: Upgrade to version 11.0.6 or later
After upgrading, verify that security constraints are functioning correctly by testing access to previously protected resources. Review application logs for any suspicious access patterns that may indicate prior exploitation. If immediate patching is not possible, implement additional security controls such as web application firewall (WAF) rules to filter malicious URI patterns, though this should only be considered a temporary mitigation.