Anolis OS update for jetty

Published: 2024-02-06 | Updated: 2025-03-28

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2021-34429 CVE-2021-28164
CWE-ID	CWE-284 CWE-20
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available. Public exploit code for vulnerability #2 is available.
Vulnerable software	Anolis OS Operating systems & Components / Operating system jetty-xml Operating systems & Components / Operating system package or component jetty-webapp Operating systems & Components / Operating system package or component jetty-util-ajax Operating systems & Components / Operating system package or component jetty-util Operating systems & Components / Operating system package or component jetty-servlet Operating systems & Components / Operating system package or component jetty-server Operating systems & Components / Operating system package or component jetty-security Operating systems & Components / Operating system package or component jetty-jmx Operating systems & Components / Operating system package or component jetty-javadoc Operating systems & Components / Operating system package or component jetty-jaas Operating systems & Components / Operating system package or component jetty-io Operating systems & Components / Operating system package or component jetty-http Operating systems & Components / Operating system package or component jetty-continuation Operating systems & Components / Operating system package or component jetty-client Operating systems & Components / Operating system package or component jetty Operating systems & Components / Operating system package or component
Vendor	OpenAnolis

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper access control

EUVDB-ID: #VU56964

Risk: Medium

CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Green]

CVE-ID: CVE-2021-34429

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

Anolis OS: 23

jetty-xml: before 9.4.43-1

jetty-webapp: before 9.4.43-1

jetty-util-ajax: before 9.4.43-1

jetty-util: before 9.4.43-1

jetty-servlet: before 9.4.43-1

jetty-server: before 9.4.43-1

jetty-security: before 9.4.43-1

jetty-jmx: before 9.4.43-1

jetty-javadoc: before 9.4.43-1

jetty-jaas: before 9.4.43-1

jetty-io: before 9.4.43-1

jetty-http: before 9.4.43-1

jetty-continuation: before 9.4.43-1

jetty-client: before 9.4.43-1

jetty: before 9.4.43-1

CPE2.3

External links

https://anas.openanolis.cn/errata/detail/ANSA-2024:0051

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU51877