ALAS2-2024-2408 --- jettyID: oval:org.secpod.oval:def:1702020 | Date: (C)2024-02-07 (M)2024-02-07 |
Class: PATCH | Family: unix |
For Eclipse Jetty versions less than= 9.4.40, less than= 10.0.2, less than= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application