In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
History

Tue, 14 Jul 2026 09:15:00 +0000

Type Values Removed Values Added
Description In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served). However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.
Weaknesses CWE-647
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published: 2026-07-14T08:56:17.525Z

Updated: 2026-07-14T08:56:17.525Z

Reserved: 2026-05-12T10:01:35.472Z

Link: CVE-2026-8384

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.