Requests to the ConcatServlet
and WelcomeFilter
are able to access protected resources within the WEB-INF
directory. For example a request to the ConcatServlet
with a URI of /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
This occurs because both ConcatServlet
and WelcomeFilter
decode the supplied path to verify it is not within the WEB-INF
or META-INF
directories. It then uses this decoded path to call RequestDispatcher
which will also do decoding of the path. This double decoding allows paths with a doubly encoded WEB-INF
to bypass this security check.
This affects all versions of ConcatServlet
and WelcomeFilter
in versions before 9.4.41, 10.0.3 and 11.0.3.
If you cannot update to the latest version of Jetty, you can instead deploy your own version of the ConcatServlet
and/or the WelcomeFilter
by using the code from the latest version of Jetty.