This script is Copyright (C) 2015 Tenable Network Security, Inc.
The remote web server is affected by a remote memory disclosure
The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).
See also :
Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.
Risk factor :
Medium / CVSS Base Score : 5.0
CVSS Temporal Score : 4.3
Public Exploit Available : true