Home

Description

In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

PUBLISHED Reserved 2026-05-12 | Published 2026-07-14 | Updated 2026-07-14 | Assigner eclipse




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-647

Product status

Default status
unaffected

12.0.0 (semver)
affected

12.1.0 (semver)
affected

Credits

https://github.com/jweny finder

https://github.com/lworld0x00 finder

References

gitlab.eclipse.org/security/cve-assignment/-/work_items/108

cve.org (CVE-2026-8384)

nvd.nist.gov (CVE-2026-8384)

Download JSON