Jetty HttpParser Error Remote Memory Disclosure
Medium Nessus Plugin ID 81576
SynopsisThe remote web server is affected by a remote memory disclosure vulnerability.
DescriptionThe remote instance of Jetty is affected by a remote memory disclosure vulnerability in the HttpParser module due to incorrect handling of illegal characters in header values. When an illegal character is encountered in an HTTP request, Jetty writes a response in a shared buffer that was used in a previous request. Jetty's response to the client includes this shared buffer which contains potentially sensitive data from the previous request. An attacker, using specially crafted requests containing variable length strings of illegal characters, can steal sensitive header data (e.g. cookies, authentication tokens) or sensitive POST data (e.g. credentials).
SolutionUpgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact the vendor for a solution.