CVE-2015-2080
published 2016-10-07CVE-2015-2080: The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal…
PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.88%
99.4th percentile
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| eclipse | jetty | — | — |
| fedoraproject | fedora | — | — |
Detection & IOCsextracted from sources · hover to see the quote
otherIllegal character 0x0 in state (HTTP 400 response body string)
bytes
\x00 (null byte in HTTP Referer header)
- →Match HTTP 400 responses containing the string 'Illegal character 0x0 in state' in the response body to identify vulnerable Jetty instances.
- →Leaked session data may appear in HTTP response headers or body, e.g. Set-Cookie values containing raw memory bytes from other sessions such as 'SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'. ↗
- →The vulnerability is exploitable unauthenticated via a POST (or any HTTP method) to any endpoint on the Jetty server with a malformed header. Use the GDS Security Jetleak testing script for automated detection. ↗
- ·The exploit uses a bash special character ($'\a', ASCII 0x07 BEL) as the illegal character injected into the header value. Any non-printable ASCII character < 0x20 triggers the vulnerability; 0x00 (null) is used in the Nuclei template. ↗
- ·The affected resource path in the Ignition-specific PoC targets application-specific endpoints; the underlying Jetty vulnerability is path-agnostic and affects any HTTP endpoint on the vulnerable server. ↗
- ·Red Hat Enterprise Linux 7, Red Hat OpenShift Enterprise 2.1 (openshift-origin-cartridge-fuse), and Red Hat Satellite 5 (nutch) ship versions of Jetty that are NOT affected by this CVE. ↗
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
ghsa·2018-11-09
CVE-2015-2080 [HIGH] CWE-200 Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
OSV
Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
osv·2018-11-09
CVE-2015-2080 [HIGH] Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
Jetty vulnerable to exposure of sensitive information to unauthenticated remote users
The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
Red Hat
jetty: remote unauthenticated credential exposure
vendor_redhat·2015-02-24·CVSS 7.5
CVE-2015-2080 [HIGH] jetty: remote unauthenticated credential exposure
jetty: remote unauthenticated credential exposure
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
Statement: This issue did not affect the versions of jetty as shipped with Red Hat Enterprise Linux 7, versions of openshift-origin-cartridge-fuse as shipped with Red Hat OpenShift Enterprise 2.1, and versions of nutch as shipped with Red Hat Satellite 5.
Package: jetty (Red Hat Enterprise Linux 7) - Not affected
Package: openshift-origin-cartridge-fuse (Red Hat OpenShift Enterprise 2) - Not affected
Package: nutch (Red Hat Satellite 5) - Not affected
No detection rules found.
Exploit-DB
Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers
exploitdb·2016-02-17
CVE-2015-2080 Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers
Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers
---
Inductive Automation Ignition 7.8.1 Remote Leakage Of Shared Buffers
Vendor: Inductive Automation
Product web page: http://www.inductiveautomation.com
Affected version: 7.8.1 (b2016012216) and 7.8.0 (b2015101414)
Platform: Java
Summary: Ignition is a powerful industrial application platform with
fully integrated development tools for building SCADA, MES, and IIoT
solutions.
Desc: Remote unauthenticated atackers are able to read arbitrary data
from other HTTP sessions because Ignition uses a vulnerable Jetty server.
When the Jetty web server receives a HTTP request, the below code is used
to parse through the HTTP headers and their associated values. The server
begins by looping through each character for a given
Nuclei
Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
nuclei·CVSS 7.5
CVE-2015-2080 [HIGH] Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
Template:
id: CVE-2015-2080
info:
name: Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
author: pikpikcu
severity: high
description: Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header.
impact: |
Remote attackers can retrieve sensitive information from process memory, leading to potential data leakage.
remediation: |
Update to version 9.2.9.v20150224 or later.
reference:
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpp
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.htmlhttp://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.htmlhttp://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.htmlhttp://seclists.org/fulldisclosure/2015/Mar/12http://www.securityfocus.com/archive/1/534755/100/1600/threadedhttp://www.securityfocus.com/bid/72768http://www.securitytracker.com/id/1031800https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.htmlhttps://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.mdhttps://security.netapp.com/advisory/ntap-20190307-0005/http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.htmlhttp://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.htmlhttp://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.htmlhttp://seclists.org/fulldisclosure/2015/Mar/12http://www.securityfocus.com/archive/1/534755/100/1600/threadedhttp://www.securityfocus.com/bid/72768http://www.securitytracker.com/id/1031800https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.htmlhttps://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.mdhttps://security.netapp.com/advisory/ntap-20190307-0005/
2016-10-07
Published