CVE-2016-4800 – org.eclipse.jetty:jetty-server

Package

Manager: maven
Name: org.eclipse.jetty:jetty-server
Vulnerable Version: >=9.3.0 <9.3.9

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0047 pctl0.63631

Details

Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

Metadata

Created: 2018-10-19T16:16:16Z
Modified: 2022-09-14T01:07:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-872g-2h8h-362q/GHSA-872g-2h8h-362q.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-872g-2h8h-362q
Finding: F039
Auto approve: 1