Executive Summary
Summary | |
---|---|
Title | Jetty fails to properly process URLs that contain double / characters |
Informations | |||
---|---|---|---|
Name | VU#553235 | First vendor Publication | 2008-01-03 |
Vendor | VU-CERT | Last vendor Modification | 2008-01-23 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#553235Jetty fails to properly process URLs that contain double / charactersOverviewThe Jetty web server contains a vulnerability that may allow an attacker to access private files or directories.I. DescriptionJetty is a web server that is implemented in Java. Jetty contains a vulnerability in the way it processes URLs with multiple "/" (slash) characters. See the Jetty Double slash problem bug report for more information.II. ImpactA remote unauthenticated attacker may be able view hidden or private files and directories.III. SolutionUpgradeJetty version 6.1.7 has been released to address this issue.
References
Thanks to Greg Wilkins for reporting this vulnerability and for providing information that was used in this report. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/553235 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-04 | Name : FreeBSD Ports: jetty File : nvt/freebsd_jetty0.nasl |
2008-09-04 | Name : FreeBSD Ports: jetty File : nvt/freebsd_jetty1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
39855 | Jetty URL Multiple Slash Character Information Disclosure Jetty contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when processing multiple "/" characters in an URL, which will disclose access to private files and directories resulting in a loss of confidentiality. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2009-04-23 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_0832ee18cf7711dc8c6a00304881ac9a.nasl - Type : ACT_GATHER_INFO |
2008-01-07 | Name : The remote web server is affected by an information disclosure vulnerability. File : jetty_double_slash_info_disclosure.nasl - Type : ACT_ATTACK |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:57 |
|