Fluid Attacks Database

Description

Jetty vulnerable to exposure of sensitive information to unauthenticated remote users The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.eclipse.jetty:jetty-server	>=0 <9.2.9.v20150224	9.2.9.v20150224
maven	org.eclipse.jetty:jetty-http	>=9.2.3.v20140905 <=9.2.8.v20150217 \|\| >=9.3.0.m0 <=9.3.0.m1	9.2.9.v20150224

Aliases

1. CVE-2015-20802. NVD-2015-20803. OSV-2015-20804. GHSA-ghgj-3xqr-6jfm5. GCVE-2015-2080

References

1. https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html2. https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md3. https://security.netapp.com/advisory/ntap-20190307-00054. http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html5. http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html6. http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html7. http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html8. http://seclists.org/fulldisclosure/2015/Mar/129. http://www.securityfocus.com/archive/1/534755/100/1600/threaded10. http://www.securityfocus.com/bid/7276811. http://www.securitytracker.com/id/103180012. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2015/CVE-2015-2080.yaml13. http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html14. http://eclipse.org/jetty/documentation/current/security-reports.html15. https://github.com/GDSSecurity/Jetleak-Testing-Script