Debian 9: DLA-2661-1 Moderate: Jetty9 Credential Exposure Risk
debian lts
May 14, 2021
Several vulnerabilities were discovered in jetty, a Java servlet engine and webserver
Summary
CVE-2017-9735
Jetty is prone to a timing channel in util/security/Password.java,
which makes it easier for remote attackers to obtain access by
observing elapsed times before rejection of incorrect passwords.
CVE-2018-12536
On webapps deployed using default Error Handling, when an
intentionally bad query arrives that doesn't match a dynamic
url-pattern, and is eventually handled by the DefaultServlet's
static file serving, the bad characters can trigger a
java.nio.file.InvalidPathException which includes the full path to
the base resource directory that the DefaultServlet and/or webapp
is using. If this InvalidPathException is then handled by the
default Error Handler, the InvalidPathException message is
included in the error response, revealing the full server path to
the requesting system.
CVE-2019-10241
The server is vulnerable to XSS conditions if a remote client USES
a specially formatted URL against the DefaultServlet or
PREVIOUS 
NEXT Package: jetty9
Version: 9.2.30-0+deb9u1
CVE ID: CVE-2017-9735 CVE-2018-12536 CVE-2019-10241 CVE-2019-10247
Debian Bug: 864898 902774 928444
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!