CVE-2015-2080
Published: 7 October 2016
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
Notes
Author | Note |
---|---|
sbeattie | only affects jetty 9.2.3 through 9.2.8 |
Priority
Status
Package | Release | Status |
---|---|---|
jetty Launchpad, Ubuntu, Debian |
lucid |
Not vulnerable
(< 9.x)
|
precise |
Not vulnerable
(< 9.x)
|
|
trusty |
Not vulnerable
(< 9.x)
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
(< 9.x)
|
|
jetty8 Launchpad, Ubuntu, Debian |
lucid |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Not vulnerable
(< 9.x)
|
|
upstream |
Needs triage
|
|
utopic |
Not vulnerable
(< 9.x)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
- https://github.com/eclipse/jetty.project/blob/master/advisories/2015-02-24-httpparser-error-buffer-bleed.md
- http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
- https://www.cve.org/CVERecord?id=CVE-2015-2080
- NVD
- Launchpad
- Debian