CVE-2017-9735

CWE-203 CWE-200 — Information Exposure CWE-38511 documents9 sources

Severity

7.5HIGH

EPSS

1.3%

top 20.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Eclipse Jetty Debian Debian Linux Oracle Communications Cloud Native Core Policy +4 more

Timeline

PublishedJun 16

Latest updateNov 21

Description

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDeclipse/jetty9.3.0 — 9.3.20+2

▶Mavenorg.eclipse.jetty:jetty-server9.4.0 — 9.4.6.v20170531+2

▶Debianjetty9< 9.2.22-1+3

▶NVDoracle/hospitality_guest_access4.2.0, 4.2.1+1

▶NVDoracle/rest_data_services4 versions+3

Also affects: Debian Linux 9.0

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Jetty vulnerable to exposure of sensitive information due to observable discrepancy↗2018-10-19

▶

OSV

Jetty vulnerable to exposure of sensitive information due to observable discrepancy↗2018-10-19

▶

CVEList

CVE-2017-9735: Jetty through 9↗2017-06-16

▶

OSV

CVE-2017-9735: Jetty through 9↗2017-06-16

▶

📋Vendor Advisories

Atlassian

CVE-2017-9735: Info Disclosure org.eclipse.jetty:jetty-util in Jira Software Data Center and Server↗2023-11-21

▶

Oracle

Oracle Oracle Communications Risk Matrix: Configuration (Jetty) — CVE-2017-9735↗2021-07-15

▶

Red Hat

jetty: Timing channel attack in util/security/Password.java↗2017-05-16

▶

Debian

CVE-2017-9735: jetty9 - Jetty through 9.4.x is prone to a timing channel in util/security/Password.java,...↗2017

▶

💬Community

Bugzilla

CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java↗2017-06-22

▶

Bugzilla

CVE-2017-9735 jetty: Timing channel attack in util/security/Password.java [fedora-all]↗2017-06-22

▶