In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28164
Score elevated to 9.0 because EPSS predicts 93% probability of exploitation within the next 30 days (top 0.2% of all CVEs). NVD baseline CVSS 5.3 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 82%
A fix is available — apply it.
- CVSS v3
- 5.3
- EG Score
- 9.0(high)
- EPSS
- 99.6%
- KEV
- Not listed
Published
April 1, 2021
Last Modified
November 21, 2024
References (50)
- emo@eclipsehttp://packetstormsecurity.com/files/164590/Jetty-9.4.37.v20210219-Information-Disclosure.html
- emo@eclipsehttps://github.com/eclipse/jetty.project/security/advisories/GHSA-v7ff-8wcx-gmc5
- emo@eclipsehttps://lists.apache.org/thread.html/r0841b06b48324cfc81325de3c05a92e53f997185f9d71ff47734d961%40%3Cissues.solr.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r111f1ce28b133a8090ca4f809a1bdf18a777426fc058dc3a16c39c66%40%3Cissues.solr.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r2a3ea27cca2ac7352d392b023b72e824387bc9ff16ba245ec663bdc6%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r2ea2f0541121f17e470a0184843720046c59d4bde6d42bf5ca6fad81%40%3Cissues.solr.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r3c55b0baa4dc38958ae147b2f216e212605f1071297f845e14477d36%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r4a66bfbf62281e31bc1345ebecbfd96f35199eecd77bfe4e903e906f%40%3Cissues.ignite.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r4b1fef117bccc7f5fd4c45fd2cabc26838df823fe5ca94bc42a4fd46%40%3Cissues.ignite.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r5b3693da7ecb8a75c0e930b4ca26a5f97aa0207d9dae4aa8cc65fe6b%40%3Cissues.ignite.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r6ac9e263129328c0db9940d72b4a6062e703c58918dd34bd22cdf8dd%40%3Cissues.ignite.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r763840320a80e515331cbc1e613fa93f25faf62e991974171a325c82%40%3Cdev.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r780c3c210a05c5bf7b4671303f46afc3fe56758e92864e1a5f0590d0%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r7dd079fa0ac6f47ba1ad0af98d7d0276547b8a4e005f034fb1016951%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r8e6c116628c1277c3cf132012a66c46a0863fa2a3037c0707d4640d4%40%3Cissues.zookeeper.apache.org%3E
Vendor Advisories for CVE-2021-28164(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(6)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | jetty | 2022-09-09 | redhat |
| redhat | patch | 2021-11-23 | redhat |
| redhat | patch | 2021-09-30 | redhat |
| redhat | jetty-server | 2021-08-19 | redhat |
| redhat | patch | 2021-05-13 | redhat |
| redhat | rh-eclipse-jetty-0:9.4.40-1.1.el7_9 | 2021-05-06 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.eclipse.jetty:jetty-webapp | 9.4.37.v20210219, 9.4.38.v20210224 | 9.4.39 | — |
Weakness Classification(2)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(7)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2021:1509MODERATE2021-04-01
RHSA-2021:1509 — Moderate
- Red HatRHSA-2021:1560MODERATE2021-04-01
RHSA-2021:1560 — Moderate
- Red HatRHSA-2021:2689MODERATE2021-04-01
RHSA-2021:2689 — Moderate
- Red HatRHSA-2021:3225MODERATE2021-04-01
RHSA-2021:3225 — Moderate
- Red HatRHSA-2021:3700MODERATE2021-04-01
RHSA-2021:3700 — Moderate
- Red HatRHSA-2021:4767MODERATE2021-04-01
RHSA-2021:4767 — Moderate
- Red HatRHSA-2022:6407MODERATE2021-04-01
RHSA-2022:6407 — Moderate
Data Freshness Timeline
(refreshed 3× in last 7d / 23× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-04 06:29 UTCEPSS rescore
- 2026-07-01 15:03 UTCEPSS rescore
- 2026-07-01 06:18 UTCOSV refresh
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-28 04:54 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-27 03:06 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-24 14:03 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-21 01:58 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-13 10:43 UTCOSV refresh
- 2026-06-12 23:10 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
Show 9 moreShow fewer
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-31 22:29 UTCEPSS rescore
- 2026-05-29 13:42 UTCEPSS rescore
- 2026-05-26 18:56 UTCEG score recompute
- 2026-05-26 18:56 UTCVendor advisory
- 2026-05-26 13:42 UTCEPSS rescore
Publicly available exploits
(3 references)Working exploit code is in the public domain (1 Metasploit module) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-50438First seen Oct 22, 2021
Jetty 9.4.37.v20210219 - Information Disclosure
Open source ↗ - Metasploitauxiliary/gather/jetty_web_inf_disclosure✓ verifiedFirst seen Jul 15, 2021
Jetty WEB-INF File Disclosure
Open source ↗ - Nucleihttp/cves/2021/CVE-2021-28164.yamlFirst seen Jan 1, 2021
Eclipse Jetty - Information Disclosure
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2021-28164?
When was CVE-2021-28164 disclosed?
Is CVE-2021-28164 actively exploited?
What is the CVSS score of CVE-2021-28164?
How do I remediate CVE-2021-28164?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-28164
Is Your Infrastructure Affected by CVE-2021-28164?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.