CVE-2011-4461
Published: 29 December 2011
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Notes
| Author | Note |
|---|---|
| mdeslaur | in main in lucid, maverick, natty only |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jetty Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
(end of life)
|
| lucid |
Released
(6.1.22-1ubuntu1.1)
|
|
| maverick |
Ignored
(end of life)
|
|
| natty |
Released
(6.1.24-6ubuntu0.11.04.1)
|
|
| oneiric |
Ignored
(end of life)
|
|
| precise |
Released
(6.1.24-6ubuntu0.12.04.1)
|
|
| quantal |
Ignored
(end of life)
|
|
| raring |
Ignored
(end of life)
|
|
| saucy |
Ignored
(end of life)
|
|
| trusty |
Not vulnerable
(6.1.26-1ubuntu1)
|
|
| upstream |
Needs triage
|
|
|
Patches: upstream: https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | Low |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
- http://www.kb.cert.org/vuls/id/903934
- http://www.ocert.org/advisories/ocert-2011-003.html
- http://www.nruns.com/_downloads/advisory28122011.pdf
- http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01818.html
- https://ubuntu.com/security/notices/USN-1429-1
- https://www.cve.org/CVERecord?id=CVE-2011-4461
- NVD
- Launchpad
- Debian