Description

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html

http://www.securityfocus.com/bid/72768

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

http://seclists.org/fulldisclosure/2015/Mar/12

https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html

http://www.securitytracker.com/id/1031800

http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html

https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

http://www.securityfocus.com/archive/1/534755/100/1600/threaded

https://security.netapp.com/advisory/ntap-20190307-0005/

Related Vulnerabilities

CVE-2017-1000427 Vulnerability in maven package org.webjars.bower:marked

CVE-2022-25848 Vulnerability in npm package static-dev-server

CVE-2021-46089 Vulnerability in maven package org.jeecgframework.boot:jeecg-boot-base-core

CVE-2018-19048 Vulnerability in npm package simditor

CVE-2017-16165 Vulnerability in npm package calmquist.static-server

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Broken Link Vendor Advisory Exploit