Multiple issues in versions of Eclipse Jetty may make IBM MQ Vulnerable as it uses them to provide Web Console, REST API, Salesforce Bridge and Blockchain bridge functionality.

Affected versions include: IBM MQ 9.1 LTS , IBM MQ 9.2 CD, IBM MQ 9.1 CD, IBM MQ 9.2 LTS

Under this announcement, multiple issues were covered:

  1. According to the announcement Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw which makes it possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory . For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. An attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
    See CVE-2021-28169
  2. For applicable Eclipse Jetty versions, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. This can result in an application used on a shared computer being left logged in and enables an attacker gain access to the application.
    See CVE-2021-34428
  3. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the directory may be deployed as a static web application, exposing the webapps themselves and anything else that might be in that directory as available for download. The exploiter would need to send a specially-crafted request to exploit this vulnerability but could use this to launch further attacks against.
    See CVE-2021-28163
  4. In Jetty the default compliance mode allows specifically crafted requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
    See CVE-2021-28164
  5. For applicable Eclipse Jetty versions, URIs can be crafted using encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This could allow a remote attacker to obta