logo

Database

Improper authorization control for web services In org.eclipse.jetty:jetty-server

Description

Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2016-48002. NVD-2016-48003. OSV-2016-48004. GHSA-872g-2h8h-362q5. GCVE-2016-4800

References

1. https://security.netapp.com/advisory/ntap-20190307-00062. https://www.oracle.com/security-alerts/cpuoct2020.html3. http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html4. http://www.ocert.org/advisories/ocert-2016-001.html5. http://www.securityfocus.com/bid/909456. http://www.zerodayinitiative.com/advisories/ZDI-16-362

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.