CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

References

Affected packages

Git / github.com/eclipse/jetty.project

Affected ranges

Type

GIT

Repo

https://github.com/eclipse/jetty.project

Events

Introduced

Fixed

0af30bce5aebb447f9e235b1634e8104490c1426

Introduced

390f3200cce7f90f1f3ebc78013c1afea2f93db8

Fixed

0f3b1cbe368f6d5aca01f3a3efc95ac41fff6035

Introduced

Last affected

883fe0e8317a89c46b49465bac2dcd07166e714c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "9.2.22"
        },
        {
            "introduced": "9.3.0"
        },
        {
            "fixed": "9.3.20"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "9.0"
        }
    ]
}

Affected versions

jetty-9.*

jetty-9.2.10.v20150310

jetty-9.2.11.M0

jetty-9.2.11.v20150528

jetty-9.2.11.v20150529

jetty-9.2.12.M0

jetty-9.2.12.v20150709

jetty-9.2.13.v20150730

jetty-9.2.14.v20151106

jetty-9.2.15.v20160210

jetty-9.2.16.v20160414

jetty-9.2.17.v20160517

jetty-9.2.18.v20160721

jetty-9.2.19.v20160908

jetty-9.2.20.v20161216

jetty-9.2.21.v20170120

jetty-9.2.4.v20141103

jetty-9.2.5.v20141112

jetty-9.2.6.v20141203

jetty-9.2.6.v20141205

jetty-9.2.7.v20150116

jetty-9.2.8.v20150217

jetty-9.2.9.v20150224

jetty-9.3.0.M0

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "9.4.0"
            },
            {
                "fixed": "9.4.6"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "1.5.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "13.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "13.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.2.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "4.2.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "11.2.0.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.1.0.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "12.2.0.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "18c"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "15.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "16.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "17.0"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9735.json"