Jetty HttpParser Error Remote Memory Disclosure

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote web server is affected by a remote memory disclosure
vulnerability.

Description :

The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).

See also :

http://www.nessus.org/u?b8d0e830
https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642
http://www.nessus.org/u?f918c477

Solution :

Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 81576 ()

Bugtraq ID: 72768

CVE ID: CVE-2015-2080

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now