JetLeak vulnerability

Description

Gotham Digital Science discovered a critical information leakage vulnerability affecting Jetty sever versions 9.2.3 to 9.2.8. When illegal characters are submitted in header values to the server the exception handling code returns approximately 16 bytes of data from a shared buffer.

Remediation

Upgrade to the latest version of Jetty (this issue was fixed in version 9.2.9.v20150224).

References