jetty-util and jetty-servlet is vulnerable to information disclosures. When handling a query with bad characters that doesn’t match the url-pattern, the application throws an InvalidPathException
that shows the full path to the base resource directory of the web application.
dev.eclipse.org/mhonarc/lists/jetty-announce/msg00123.html
www.securitytracker.com/id/1041194
bugs.eclipse.org/bugs/show_bug.cgi?id=535670
github.com/eclipse/jetty.project/issues/2560
lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E
lists.debian.org/debian-lts-announce/2021/05/msg00016.html
security.netapp.com/advisory/ntap-20181014-0001/
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us
www.oracle.com/security-alerts/cpuoct2020.html
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html