Eclipse Jetty - Information Disclosure (CVE-2021-28169)

CVE-2021-28169 is a vulnerability in Eclipse Jetty that allows remote attackers to access protected resources within the WEB-INF directory by exploiting doubly encoded paths in requests to the ConcatServlet. This flaw can expose sensitive files such as web.xml, potentially revealing critical information about the web application's internal configuration and implementation.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2021-28169 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. In addition, according to the CrowdSec network, attack volume against CVE-2021-28169 has dipped slightly compared to the previous week. Although still commonly targeted, the decline suggests a cooling-off period. Long-term relevance remains, but attention is waning.

Attackers exploit this vulnerability by sending requests to endpoints such as /static or /concat with doubly encoded paths like /%2557EB-INF/web.xml to access sensitive files within the WEB-INF directory.