Security bypass in Jetty - CVE-2016-4800
Published: August 20, 2016 / Updated: January 23, 2017
Vulnerability identifier: #VU340
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-4800
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Eclipse
Affected software:
Jetty
Jetty
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to an error within PathResource class when parsing URLs, which contains certain escaped characters. A remote unauthenticated attacker can bypass implemented security restrictions and gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) or bypass application filters or other restrictions, implemented in servlet configuration.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to otherwise protected resources.
How to mitigate CVE-2016-4800
Install the latest version 9.3.9.