{"affected":[{"ecosystem_specific":{"binaries":[{"jetty-annotations":"9.4.42-3.9.1","jetty-client":"9.4.42-3.9.1","jetty-continuation":"9.4.42-3.9.1","jetty-http":"9.4.42-3.9.1","jetty-io":"9.4.42-3.9.1","jetty-jaas":"9.4.42-3.9.1","jetty-javax-websocket-client-impl":"9.4.42-3.9.1","jetty-javax-websocket-server-impl":"9.4.42-3.9.1","jetty-jmx":"9.4.42-3.9.1","jetty-jndi":"9.4.42-3.9.1","jetty-jsp":"9.4.42-3.9.1","jetty-minimal-javadoc":"9.4.42-3.9.1","jetty-openid":"9.4.42-3.9.1","jetty-plus":"9.4.42-3.9.1","jetty-proxy":"9.4.42-3.9.1","jetty-security":"9.4.42-3.9.1","jetty-server":"9.4.42-3.9.1","jetty-servlet":"9.4.42-3.9.1","jetty-util":"9.4.42-3.9.1","jetty-util-ajax":"9.4.42-3.9.1","jetty-webapp":"9.4.42-3.9.1","jetty-websocket-api":"9.4.42-3.9.1","jetty-websocket-client":"9.4.42-3.9.1","jetty-websocket-common":"9.4.42-3.9.1","jetty-websocket-javadoc":"9.4.42-3.9.1","jetty-websocket-server":"9.4.42-3.9.1","jetty-websocket-servlet":"9.4.42-3.9.1","jetty-xml":"9.4.42-3.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"jetty-minimal","purl":"pkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"9.4.42-3.9.1"}],"type":"ECOSYSTEM"}]},{"ecosystem_specific":{"binaries":[{"jetty-annotations":"9.4.42-3.9.1","jetty-client":"9.4.42-3.9.1","jetty-continuation":"9.4.42-3.9.1","jetty-http":"9.4.42-3.9.1","jetty-io":"9.4.42-3.9.1","jetty-jaas":"9.4.42-3.9.1","jetty-javax-websocket-client-impl":"9.4.42-3.9.1","jetty-javax-websocket-server-impl":"9.4.42-3.9.1","jetty-jmx":"9.4.42-3.9.1","jetty-jndi":"9.4.42-3.9.1","jetty-jsp":"9.4.42-3.9.1","jetty-minimal-javadoc":"9.4.42-3.9.1","jetty-openid":"9.4.42-3.9.1","jetty-plus":"9.4.42-3.9.1","jetty-proxy":"9.4.42-3.9.1","jetty-security":"9.4.42-3.9.1","jetty-server":"9.4.42-3.9.1","jetty-servlet":"9.4.42-3.9.1","jetty-util":"9.4.42-3.9.1","jetty-util-ajax":"9.4.42-3.9.1","jetty-webapp":"9.4.42-3.9.1","jetty-websocket-api":"9.4.42-3.9.1","jetty-websocket-client":"9.4.42-3.9.1","jetty-websocket-common":"9.4.42-3.9.1","jetty-websocket-javadoc":"9.4.42-3.9.1","jetty-websocket-server":"9.4.42-3.9.1","jetty-websocket-servlet":"9.4.42-3.9.1","jetty-xml":"9.4.42-3.9.1"}]},"package":{"ecosystem":"openSUSE:Leap 15.3","name":"jetty-websocket","purl":"pkg:rpm/opensuse/jetty-websocket&distro=openSUSE%20Leap%2015.3"},"ranges":[{"events":[{"introduced":"0"},{"fixed":"9.4.42-3.9.1"}],"type":"ECOSYSTEM"}]}],"aliases":[],"details":"This update for jetty-minimal fixes the following issues:\n\nUpdate to version 9.4.42.v20210604\n\n- Fix: bsc#1187117, CVE-2021-28169 - possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory\n- Fix: bsc#1184367, CVE-2021-28165 - jetty server high CPU when client send data length > 17408\n- Fix: bsc#1184368, CVE-2021-28164 - Normalize ambiguous URIs\n- Fix: bsc#1184366, CVE-2021-28163 - Exclude webapps directory from deployment scan\n","id":"openSUSE-SU-2021:2005-1","modified":"2021-07-11T08:05:38Z","published":"2021-07-11T08:05:38Z","references":[{"type":"ADVISORY","url":"https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/U4KKN3NUA6VAZ6XTFLI3KB3IHAPVD46L/"},{"type":"REPORT","url":"https://bugzilla.suse.com/1184366"},{"type":"REPORT","url":"https://bugzilla.suse.com/1184367"},{"type":"REPORT","url":"https://bugzilla.suse.com/1184368"},{"type":"REPORT","url":"https://bugzilla.suse.com/1187117"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28163"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28164"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28165"},{"type":"WEB","url":"https://www.suse.com/security/cve/CVE-2021-28169"}],"related":["CVE-2021-28163","CVE-2021-28164","CVE-2021-28165","CVE-2021-28169"],"summary":"Security update for jetty-minimal","upstream":["CVE-2021-28163","CVE-2021-28164","CVE-2021-28165","CVE-2021-28169"]}