Vulnerability Note VU#553235
Jetty fails to properly process URLs that contain double / characters
Overview
The Jetty web server contains a vulnerability that may allow an attacker to access private files or directories.
Description
Jetty is a web server that is implemented in Java. Jetty contains a vulnerability in the way it processes URLs with multiple "/" (slash) characters. See the Jetty Double slash problem bug report for more information. |
Impact
A remote unauthenticated attacker may be able view hidden or private files and directories. |
Solution
Upgrade Jetty version 6.1.7 has been released to address this issue. |
|
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Mort Bay | Affected | - | 03 Jan 2008 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://jira.codehaus.org/browse/JETTY-386#action_117699
- http://jira.codehaus.org/browse/JETTY/fixforversion/13950
- http://www.visolve.com/squid/squid24s1/access_controls.php
- http://httpd.apache.org/docs/1.3/mod/mod_proxy.html
- http://secunia.com/advisories/28322/
Credit
Thanks to Greg Wilkins for reporting this vulnerability and for providing information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
- CVE IDs: CVE-2007-6672
- Date Public: 28 Dec 2007
- Date First Published: 03 Jan 2008
- Date Last Updated: 23 Jan 2008
- Severity Metric: 2.64
- Document Revision: 19
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.