CVE-2026-8384 in Jettyinfo

Summary

by MITRE • 07/14/2026

In Eclipse Jetty, an HTTP URI of this form:





/public;/../admin/secret.txt








results in an unresolved path of:





/public/../admin/secret.txt








instead of the expected:





/admin/secret.txt








Jetty itself is not affected, as it will not serve the secret.txt file because it will not pass the alias checker (only resolved resources are served).




However, web applications that rely on resolved paths being provided by Jetty may be confused when receiving an unresolved path.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/14/2026

This vulnerability represents a path traversal issue within Eclipse Jetty's URI processing mechanism where the server fails to properly normalize path references during request handling. The flaw manifests when processing URIs containing semicolon-separated components followed by relative path references, specifically in cases involving directory traversal sequences like "../". The system incorrectly maintains the unresolved path format rather than resolving it to its canonical form, creating a discrepancy between expected and actual path handling behavior. This issue primarily affects applications that depend on Jetty's path resolution for access control decisions or resource identification, as the inconsistent path representation can lead to security logic bypasses or unexpected application behavior.

The technical root cause lies in Jetty's URI parsing and normalization logic which fails to properly resolve relative path components when semicolons are present in the URI structure. This represents a variant of path traversal vulnerabilities commonly classified under CWE-23 Path Traversal and aligns with ATT&CK technique T1078 Valid Accounts for potential privilege escalation scenarios where applications might incorrectly interpret resolved versus unresolved paths. The vulnerability specifically impacts how Jetty handles semicolon-separated path components, which are often used in legacy web applications or frameworks that expect specific URI parsing behavior.

The operational impact of this vulnerability extends beyond simple path resolution inconsistencies to potentially affect application security controls that rely on normalized path representations for access validation. Web applications may experience unexpected behavior when they receive unresolved paths from Jetty's processing, particularly those implementing custom security checks based on path components or alias resolution logic. This could lead to scenarios where legitimate access control measures fail to properly validate requests, as the application receives a path that differs from what it expects during normal operation.

Security implications arise primarily from the potential for applications to misinterpret the path state when making access decisions, creating opportunities for bypassing security controls that depend on proper path normalization. Organizations should ensure their web applications implement robust path validation regardless of Jetty's internal handling, as this vulnerability demonstrates how server-side URI processing inconsistencies can create unexpected security boundaries. The mitigation strategy involves implementing additional input validation at the application layer and ensuring that any security decisions based on path components are made against properly normalized path representations rather than potentially unresolved URI segments.

This vulnerability highlights the importance of consistent URI handling across web infrastructure components, particularly in environments where multiple layers of security controls depend on predictable path representations. The issue demonstrates how seemingly minor inconsistencies in URI parsing can have cascading effects on application security logic, making it essential for developers and security teams to validate that their applications properly handle all possible URI formats that might be encountered during request processing. Organizations should also consider implementing comprehensive testing procedures that verify path resolution behavior under various URI formats to prevent similar issues in custom security implementations.

The vulnerability's classification aligns with ATT&CK framework's focus on application layer attacks and demonstrates how infrastructure components can introduce unexpected behaviors that affect application security posture. Security practitioners should be aware that even when core server functionality remains intact, subtle URI processing differences can create exploitable conditions in applications that make assumptions about path normalization behavior. This particular case emphasizes the need for defensive programming practices where applications validate input at multiple layers rather than relying solely on server-side URI handling for security decisions, as recommended by industry best practices for secure web application development and security architecture principles.

Responsible

Eclipse

Reservation

05/12/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you know our Splunk app?

Download it now for free!