Description

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Remediation

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html

http://www.securityfocus.com/bid/72768

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

http://seclists.org/fulldisclosure/2015/Mar/12

https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md

http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html

http://www.securitytracker.com/id/1031800

http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html

https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

http://www.securityfocus.com/archive/1/534755/100/1600/threaded

https://security.netapp.com/advisory/ntap-20190307-0005/

Related Vulnerabilities

CVE-2019-10453 Vulnerability in maven package org.jenkins-ci.plugins:delphix

CVE-2022-1330 Vulnerability in maven package org.webjars.bower:fullpage.js

CVE-2017-2608 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2022-3171 Vulnerability in maven package com.google.protobuf:protobuf-kotlin

CVE-2021-3859 Vulnerability in maven package io.undertow:undertow-core

Severity

High

Classification

CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Broken Link Vendor Advisory Exploit