Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

JetLeak vulnerability

Description

Gotham Digital Science discovered a critical information leakage vulnerability affecting Jetty sever versions 9.2.3 to 9.2.8. When illegal characters are submitted in header values to the server the exception handling code returns approximately 16 bytes of data from a shared buffer.

Remediation

Upgrade to the latest version of Jetty (this issue was fixed in version 9.2.9.v20150224).

References

JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server [CVE-2015-2080]

Jetty Downloads Page

Related Vulnerabilities

Python Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-1015)

WordPress Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2011-3126)

WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.17)

WordPress Plugin iThemes Security (formerly Better WP Security) Information Disclosure (5.1.1)

Atlassian Confluence Access Restriction Bypass

Severity

High

Classification

CVE-2015-2080 CWE-200 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure