CVE-2015-2080

Summary

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Impact & exploitability

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (2)

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

• NVD record
• http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.htmlAdvisory
• http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.htmlAdvisory
• http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.htmlAdvisory
• http://www.securityfocus.com/archive/1/534755/100/1600/threaded
• http://www.securityfocus.com/bid/72768
• http://www.securitytracker.com/id/1031800Advisory
• http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.htmlAdvisory
• http://seclists.org/fulldisclosure/2015/Mar/12Advisory