Back to overview

CVE-2026-8384

MEDIUM
5.3
CVSS 3.1
Description
In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

Metadata

CVE ID
CVE-2026-8384
State
PUBLISHED
Assigner
eclipse
Reserved
2026-05-12 10:01 UTC
Published
2026-07-14 08:56 UTC
Last updated
2026-07-14 08:56 UTC
Primary CWE
CWE-647
CWE-647
Vendor / Product
Eclipse Foundation / Eclipse Jetty
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
Eclipse Foundation Eclipse Jetty 12.0.0 ≤ 12.0.34, 12.1.0 ≤ 12.1.8
Weakness (CWE)
CWESourceDescription
CWE-647 cna CWE-647
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview