cbcvebase.
CVE-2015-2080
published 2016-10-07

CVE-2015-2080: The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal…

PriorityP268high7.5CVSS 3.0
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
74.88%
99.4th percentile
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Affected

8 ranges
VendorProductVersion rangeFixed in
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty
eclipsejetty
fedoraprojectfedora

Detection & IOCsextracted from sources · hover to see the quote

versionEclipse Jetty before 9.2.9.v20150224
urlhttps://github.com/GDSSecurity/Jetleak-Testing-Script/blob/master/jetleak_tester.py
pathjetty-http\src\main\java\org\eclipse\jetty\http\HttpParser.java
otherIllegal character 0x0 in state (HTTP 400 response body string)
bytes
\x00 (null byte in HTTP Referer header)
  • Match HTTP 400 responses containing the string 'Illegal character 0x0 in state' in the response body to identify vulnerable Jetty instances.
  • Leaked session data may appear in HTTP response headers or body, e.g. Set-Cookie values containing raw memory bytes from other sessions such as 'SESSIONID=15iwe0g...\x0fCU\xFa\xBf\xA4j\x12\x83\xCb\xE61~S\xD1'.
  • The vulnerability is exploitable unauthenticated via a POST (or any HTTP method) to any endpoint on the Jetty server with a malformed header. Use the GDS Security Jetleak testing script for automated detection.
  • ·The exploit uses a bash special character ($'\a', ASCII 0x07 BEL) as the illegal character injected into the header value. Any non-printable ASCII character < 0x20 triggers the vulnerability; 0x00 (null) is used in the Nuclei template.
  • ·The affected resource path in the Ignition-specific PoC targets application-specific endpoints; the underlying Jetty vulnerability is path-agnostic and affects any HTTP endpoint on the vulnerable server.
  • ·Red Hat Enterprise Linux 7, Red Hat OpenShift Enterprise 2.1 (openshift-origin-cartridge-fuse), and Red Hat Satellite 5 (nutch) ship versions of Jetty that are NOT affected by this CVE.

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.