For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
CVE-2021-28169
Score elevated to 9.0 because EPSS predicts 90% probability of exploitation within the next 30 days (top 0.4% of all CVEs). NVD baseline CVSS 5.3 retained for reference. Confidence: see factors.
- High exploitation likelihood — EPSS 78%
A fix is available — apply it.
- CVSS v3
- 5.3
- EG Score
- 9.0(high)
- EPSS
- 99.5%
- KEV
- Not listed
Published
June 9, 2021
Last Modified
November 21, 2024
References (48)
- emo@eclipsehttps://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
- emo@eclipsehttps://lists.apache.org/thread.html/r04a4b4553a23aff26f42635a6ae388c3b162aab30a88d12e59d05168%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r234f6452297065636356f43654cdacef565b8f9ceb0e0c07ffb8c73b%40%3Cdev.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe%40%3Cusers.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r284de9c5399486dfff12ab9e7323ca720dd7019a9a3e11c8510a7140%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r29678972c3f8164b151fd7a5802785d402e530c09870a82ffc7681a4%40%3Cdev.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r32b0b640ad2be3b858f0af51c68a7d5c5a66a462c8bbb93699825cd3%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r33eb06b05afbc7df28d31055cae0cb3fd36cab808c884bf6d680bea5%40%3Cdev.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r67c4f90658fde875521c949448c54c98517beecdc7f618f902c620ec%40%3Cissues.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r8a1a332899a1f92c8118b0895b144b27a78e3f25b9d58a34dd5eb084%40%3Cnotifications.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/r91e34ff61aff8fd25a3f2a21539597c6ef7589a31c199b0a9546477c%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/rb1292d30462b9baedea7c5d9594fc75990d9aa0ec223b48054ca9c25%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/rbefa055282d52d6b58d29a79fbb0be65ab0a38d25f00bd29eaf5e6fd%40%3Cnotifications.zookeeper.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/rd5b52362f5edf98e0dcab6541a381f571cccc05ad9188e793af688f3%40%3Cjira.kafka.apache.org%3E
- emo@eclipsehttps://lists.apache.org/thread.html/rddbb4f8d5db23265bb63d14ef4b3723b438abc1589f877db11d35450%40%3Cissues.zookeeper.apache.org%3E
Vendor Advisories for CVE-2021-28169(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(4)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| redhat | jetty | 2022-10-27 | redhat |
| redhat | patch | 2021-11-23 | redhat |
| redhat | jenkins-0:2.289.3.1630554997-1.el8 | 2021-10-18 | redhat |
| redhat | jetty-server | 2021-09-30 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.eclipse.jetty:jetty-servlets | 11.0.0, 11.0.1, 11.0.2 | 11.0.3 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(5)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2021:3225MODERATE2021-06-08
RHSA-2021:3225 — Moderate
- Red HatRHSA-2021:3700MODERATE2021-06-08
RHSA-2021:3700 — Moderate
- Red HatRHSA-2021:3758MODERATE2021-06-08
RHSA-2021:3758 — Moderate
- Red HatRHSA-2021:4767MODERATE2021-06-08
RHSA-2021:4767 — Moderate
- Red HatRHSA-2022:7257MODERATE2021-06-08
RHSA-2022:7257 — Moderate
Data Freshness Timeline
(refreshed 3× in last 7d / 21× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-08 15:12 UTCEPSS rescore
- 2026-07-02 16:57 UTCEPSS rescore
- 2026-07-01 01:48 UTCOSV refresh
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-30 23:20 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-25 13:48 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-23 21:31 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-22 14:24 UTCEPSS rescore
- 2026-06-21 14:55 UTCEPSS rescore
- 2026-06-21 14:54 UTCEPSS rescore
- 2026-06-17 17:51 UTCEPSS rescore
- 2026-06-16 17:51 UTCEPSS rescore
- 2026-06-15 17:46 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 22:58 UTCEPSS rescore
- 2026-06-13 04:13 UTCOSV refresh
- 2026-06-10 22:16 UTCEPSS rescore
- 2026-06-10 13:20 UTCEPSS rescore
- 2026-06-08 14:15 UTCEPSS rescore
- 2026-06-05 22:45 UTCEPSS rescore
Show 14 moreShow fewer
- 2026-06-05 22:45 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-05 06:09 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-06-02 20:11 UTCEPSS rescore
- 2026-05-31 00:15 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-28 13:43 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-27 13:39 UTCEPSS rescore
- 2026-05-26 15:17 UTCEG score recompute
- 2026-05-26 15:17 UTCVendor advisory
- 2026-05-23 14:41 UTCOSV refresh
Publicly available exploits
(1 reference)Working exploit code is in the public domain. Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Nucleihttp/cves/2021/CVE-2021-28169.yamlFirst seen Jan 1, 2021
Eclipse Jetty ConcatServlet - Information Disclosure
Open source ↗
Related CVEs(same vendor + same CWE)
Same vendor
10 shownredhat
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2021-28169?
When was CVE-2021-28169 disclosed?
Is CVE-2021-28169 actively exploited?
What is the CVSS score of CVE-2021-28169?
How do I remediate CVE-2021-28169?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-28169
Is Your Infrastructure Affected by CVE-2021-28169?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.