#VU340 Security bypass in Jetty - CVE-2016-4800
Published: August 20, 2016 / Updated: January 23, 2017
Vulnerability identifier: #VU340
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-4800
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Jetty
Jetty
Software vendor:
Eclipse
Eclipse
Description
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to an error within PathResource class when parsing URLs, which contains certain escaped characters. A remote unauthenticated attacker can bypass implemented security restrictions and gain access to protected resources (e.g. WEB-INF and META-INF folders and their contents) or bypass application filters or other restrictions, implemented in servlet configuration.
Successful exploitation of the vulnerability may allow an attacker to gain unauthorized access to otherwise protected resources.
Remediation
Install the latest version 9.3.9.