The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Eclipse Jetty

computer vulnerability alert CVE-2018-12536

Eclipse Jetty: information disclosure via InvalidPathException Message

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via InvalidPathException Message of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Jetty, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2018-12536, NTAP-20181014-0001, VIGILANCE-VUL-26536.

Description of the vulnerability

An attacker can bypass access restrictions to data via InvalidPathException Message of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-7658

Eclipse Jetty: information disclosure via Double Content-Length

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Double Content-Length of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7658, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26535.

Description of the vulnerability

An attacker can bypass access restrictions to data via Double Content-Length of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7657

Eclipse Jetty: information disclosure via Transfer-Encoding Request Smuggling

Synthesis of the vulnerability

An attacker can bypass access restrictions to data via Transfer-Encoding Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7657, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26534.

Description of the vulnerability

An attacker can bypass access restrictions to data via Transfer-Encoding Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7656

Eclipse Jetty: information disclosure via HTTP/0.9 Request Smuggling

Synthesis of the vulnerability

An attacker can use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Impacted products: Debian, Jetty, Fedora, SnapManager, Puppet.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 26/06/2018.
Identifiers: CVE-2017-7656, DSA-4278-1, FEDORA-2018-48b73ed393, FEDORA-2018-93a507fd0f, NTAP-20181014-0001, VIGILANCE-VUL-26533.

Description of the vulnerability

The Eclipse Jetty product offers a web service.

However, an attacker can bypass access restrictions to data.

An attacker can therefore use a vulnerability via HTTP/0.9 Request Smuggling of Eclipse Jetty, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-12538

Eclipse Jetty: privilege escalation via FileSessionDataStore

Synthesis of the vulnerability

An attacker can bypass restrictions via FileSessionDataStore of Eclipse Jetty, in order to escalate his privileges.
Impacted products: Jetty, SnapManager, Puppet.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Creation date: 25/06/2018.
Identifiers: 536018, CVE-2018-12538, NTAP-20181014-0001, VIGILANCE-VUL-26512.

Description of the vulnerability

An attacker can bypass restrictions via FileSessionDataStore of Eclipse Jetty, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-4800

Eclipse Jetty: directory traversal with backslash characters

Synthesis of the vulnerability

An attacker can traverse directories of Eclipse Jetty, in order to read a file outside the service root path.
Impacted products: Jetty.
Severity: 2/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 30/05/2016.
Identifiers: CVE-2016-4800, ocert-2016-001, VIGILANCE-VUL-19731, ZDI-16-362.

Description of the vulnerability

The Eclipse Jetty is an HTTP server and a servlet engine.

An HTTP server must normalize the path sent in the requested URL and take escapes into account. However, Jetty wrongly manages the path decoding. The proposed countermeasure suggests that "\" is accepted as a path separator, while only "/" is valid in URLs. Using "\n" instead of "/" would allow the client to access the machine code tree and configuration tree in the targeted servlet.

An attacker can therefore traverse directories of Eclipse Jetty, in order to read a file outside the service root path.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability 17015

Eclipse Jetty: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Eclipse Jetty.
Impacted products: Jetty.
Severity: 2/4.
Consequences: user access/rights, client access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 01/06/2015.
Identifiers: 461499, 465053, 468747, VIGILANCE-VUL-17015.

Description of the vulnerability

Several vulnerabilities were announced in Eclipse Jetty.

An attacker can create a connection leak in ConnectionPool, in order to trigger a denial of service. [severity:2/4; 461499]

An attacker can generate a buffer overflow in gzip, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; 465053]

An attacker can trigger a Cross Site Scripting in HttpSpiContextHandler, in order to execute JavaScript code in the context of the web site. [severity:2/4; 468747]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Eclipse Jetty: