Mort Bay Jetty < 6.1.17 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 5017

Synopsis

The remote host is vulnerable to multiple attack vectors

Description

The remote instance of Mort Bay Jetty is vulnerable to a number of flaws. First, the application is vulnerable to a cross-site-scripting flaw when displaying web directory listings. Secondly, the application is prone to an information disclosure flaw which can be used to read files outside the web root. Note: in order for the second flaw to be executed, Jetty must have been configured to have DefaultServlet with support for aliases turned on.

Solution

Upgrade to Mort Bay Jetty 6.1.17 or later.

See Also

http://www.kb.cert.org/vuls/id/402580

Plugin Details

Severity: Medium

ID: 5017

File Name: 5017.prm

Family: Web Servers

Published: 2004/08/18

Modified: 2016/01/21

Dependencies: 1442

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 6.5

Temporal Score: 6

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS3#E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mortbay:jetty

Exploitable With

Core Impact

Reference Information

CVE: CVE-2009-1523, CVE-2009-1524

BID: 34800

OSVDB: 54186, 54187