Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2015-2080

CWE-200 โ€” Information Exposure8 documents8 sources
Severity
7.5HIGH
EPSS
92.4%
top 0.27%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Eclipse JettyFedoraproject Fedora
Timeline
PublishedOct 7
Latest updateNov 9

Description

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

โ–ถMavenorg.eclipse.jetty:jetty-server< 9.2.9.v20150224
โ–ถNVDeclipse/jetty7 versions+6

Also affects: Fedora 22

๐Ÿ”ดVulnerability Details

3
GHSA
Jetty vulnerable to exposure of sensitive information to unauthenticated remote usersโ†—2018-11-09
โ–ถ
OSV
Jetty vulnerable to exposure of sensitive information to unauthenticated remote usersโ†—2018-11-09
โ–ถ
CVEList
CVE-2015-2080: The exception handling code in Eclipse Jetty before 9โ†—2016-10-07
โ–ถ

๐Ÿ’ฅExploits & PoCs

2
Exploit-DB
Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffersโ†—2016-02-17
โ–ถ
Nuclei
Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage
โ–ถ

๐Ÿ“‹Vendor Advisories

1
Red Hat
jetty: remote unauthenticated credential exposureโ†—2015-02-24
โ–ถ

๐Ÿ’ฌCommunity

1
Bugzilla
CVE-2015-2080 jetty: remote unauthenticated credential exposureโ†—2015-02-25
โ–ถ
CVE-2015-2080 (HIGH CVSS 7.5) | The exception handling code in Ecli | cvebase.io