Eclipse Jetty - Information Disclosure (CVE-2021-28169)

CVE-2021-28169 is a vulnerability in Eclipse Jetty that allows remote attackers to access protected resources within the WEB-INF directory by exploiting doubly encoded paths in requests to the ConcatServlet. This flaw can expose sensitive files such as web.xml, potentially revealing critical information about the web application's internal configuration and implementation.

CrowdSec has been tracking this vulnerability and its exploits since 10th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2021-28169 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. CrowdSec network telemetry also shows that exploitation of CVE-2021-28169 has significantly declined over the past week. Attack volumes are well below the long-term average, suggesting attackers are rapidly losing interest. The vulnerability appears to be falling out of active use across most threat landscapes.

Attackers exploit this vulnerability by sending requests to endpoints such as /static or /concat with doubly encoded paths like /%2557EB-INF/web.xml to access sensitive files within the WEB-INF directory.