CVE-2016-4800 — Improper Access Control in Jetty

CWE-284 — Improper Access Control8 documents8 sources

Severity

9.8CRITICALNVD

EPSS

0.6%

top 30.25%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty

Timeline

PublishedApr 13

Latest updateOct 19

Description

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDeclipse/jetty9 versions+8

Patches

Patch: dev.eclipse.org ↗Patch: www.ocert.org ↗Patch: dev.eclipse.org ↗

🔴Vulnerability Details

OSV

Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request↗2018-10-19

▶

GHSA

Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request↗2018-10-19

▶

CVEList

CVE-2016-4800: The path normalization mechanism in PathResource class in Eclipse Jetty 9↗2017-04-13

▶

💥Exploits & PoCs

Metasploit

Moxa UDP Device Discovery↗

▶

📋Vendor Advisories

Red Hat

jetty: path normalization↗2016-05-30

▶

Debian

CVE-2016-4800: jetty9 - The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x be...↗2016

▶

💬Community

Bugzilla

CVE-2016-4800 jetty: path normalization↗2016-05-26

▶