GHSA-wfcc-pff6-rgc5

Source

https://github.com/advisories/GHSA-wfcc-pff6-rgc5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-wfcc-pff6-rgc5/GHSA-wfcc-pff6-rgc5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wfcc-pff6-rgc5

Aliases

CVE-2017-9735

Published

2018-10-19T16:15:46Z

Modified

2024-02-16T08:22:10.602897Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Jetty vulnerable to exposure of sensitive information due to observable discrepancy

Details

Jetty through 9.4.x contains a timing channel attack in util/security/Password.java, which allows attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Database specific

{
    "nvd_published_at": "2017-06-16T21:29:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-203"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:00:10Z"
}

References

Affected packages

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.4.0

Fixed

9.4.6.v20170531

Affected versions

9.*

9.4.0.v20161208

9.4.0.v20180619

9.4.1.v20170120

9.4.1.v20180619

9.4.2.v20170220

9.4.2.v20180619

9.4.3.v20170317

9.4.3.v20180619

9.4.4.v20170414

9.4.4.v20180619

9.4.5.v20170502

9.4.5.v20180619

Database specific

{
    "last_known_affected_version_range": "<= 9.4.5.v20170502"
}

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.3.0

Fixed

9.3.20.v20170531

Affected versions

9.*

9.3.0.v20150612

9.3.1.v20150714

9.3.2.v20150730

9.3.3.v20150827

9.3.4.RC0

9.3.4.RC1

9.3.4.v20151007

9.3.5.v20151012

9.3.6.v20151106

9.3.7.RC0

9.3.7.RC1

9.3.7.v20160115

9.3.8.RC0

9.3.8.v20160314

9.3.9.M0

9.3.9.M1

9.3.9.v20160517

9.3.10.M0

9.3.10.v20160621

9.3.11.M0

9.3.11.v20160721

9.3.12.v20160915

9.3.13.M0

9.3.13.v20161014

9.3.14.v20161028

9.3.15.v20161220

9.3.16.v20170120

9.3.17.RC0

9.3.17.v20170317

9.3.18.v20170406

9.3.19.v20170502

Database specific

{
    "last_known_affected_version_range": "<= 9.3.19.v20170502"
}

Maven / org.eclipse.jetty:jetty-server

Package

Name: org.eclipse.jetty:jetty-server; View open source insights on deps.dev
Purl: pkg:maven/org.eclipse.jetty/jetty-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.2.22.v20170606

Affected versions

7.*

7.0.0.M0

7.0.0.M1

7.0.0.M2

7.0.0.M3

7.0.0.M4

7.0.0.RC0

7.0.0.RC1

7.0.0.RC2

7.0.0.RC3

7.0.0.RC4

7.0.0.RC5

7.0.0.RC6

7.0.0.v20091005

7.0.1.v20091125

7.0.2.RC0

7.0.2.v20100331

7.1.0.RC0

7.1.0.RC1

7.1.0.v20100505

7.1.1.v20100517

7.1.2.v20100523

7.1.3.v20100526

7.1.4.v20100610

7.1.5.v20100705

7.1.6.v20100715

7.2.0.RC0

7.2.0.v20101020

7.2.1.v20101111

7.2.2.v20101205

7.3.0.v20110203

7.3.1.v20110307

7.4.0.RC0

7.4.0.v20110414

7.4.1.v20110513

7.4.2.v20110526

7.4.3.v20110701

7.4.4.v20110707

7.4.5.v20110725

7.5.0.RC0

7.5.0.RC1

7.5.0.RC2

7.5.0.v20110901

7.5.1.v20110908

7.5.2.v20111006

7.5.3.v20111011

7.5.4.v20111024

7.6.0.RC0

7.6.0.RC1

7.6.0.RC2

7.6.0.RC3

7.6.0.RC4

7.6.0.RC5

7.6.0.v20120127

7.6.1.v20120215

7.6.2.v20120308

7.6.3.v20120416

7.6.4.v20120524

7.6.5.v20120716

7.6.6.v20120903

7.6.7.v20120910

7.6.8.v20121106

7.6.9.v20130131

7.6.10.v20130312

7.6.11.v20130520

7.6.12.v20130726

7.6.13.v20130916

7.6.14.v20131031

7.6.15.v20140411

7.6.16.v20140903

7.6.17.v20150415

7.6.18.v20150929

7.6.19.v20160209

7.6.20.v20160902

7.6.21.v20160908

8.*

8.0.0.M0

8.0.0.M1

8.0.0.M2

8.0.0.M3

8.0.0.RC0

8.0.0.v20110901

8.0.1.v20110908

8.0.2.v20111006

8.0.3.v20111011

8.0.4.v20111024

8.1.0.RC0

8.1.0.RC1

8.1.0.RC2

8.1.0.RC4

8.1.0.RC5

8.1.0.v20120127

8.1.1.v20120215

8.1.2.v20120308

8.1.3.v20120416

8.1.4.v20120524

8.1.5.v20120716

8.1.6.v20120903

8.1.7.v20120910

8.1.8.v20121106

8.1.9.v20130131

8.1.10.v20130312

8.1.11.v20130520

8.1.12.v20130726

8.1.13.v20130916

8.1.14.v20131031

8.1.15.v20140411

8.1.16.v20140903

8.1.17.v20150415

8.1.18.v20150929

8.1.19.v20160209

8.1.20.v20160902

8.1.21.v20160908

8.1.22.v20160922

8.2.0.v20160908

9.*

9.0.0.M0

9.0.0.M1

9.0.0.M2

9.0.0.M3

9.0.0.M4

9.0.0.M5

9.0.0.RC0

9.0.0.RC1

9.0.0.RC2

9.0.0.v20130308

9.0.1.v20130408

9.0.2.v20130417

9.0.3.v20130506

9.0.4.v20130625

9.0.5.v20130815

9.0.6.v20130930

9.0.7.v20131107

9.1.0.M0

9.1.0.RC0

9.1.0.RC1

9.1.0.RC2

9.1.0.v20131115

9.1.1.v20140108

9.1.2.v20140210

9.1.3.v20140225

9.1.4.v20140401

9.1.5.v20140505

9.1.6.v20160112

9.2.0.M0

9.2.0.M1

9.2.0.RC0

9.2.0.v20140526

9.2.1.v20140609

9.2.2.v20140723

9.2.3.v20140905

9.2.4.v20141103

9.2.5.v20141112

9.2.6.v20141205

9.2.7.v20150116

9.2.8.v20150217

9.2.9.v20150224

9.2.10.v20150310

9.2.11.M0

9.2.11.v20150529

9.2.12.M0

9.2.12.v20150709

9.2.13.v20150730

9.2.14.v20151106

9.2.15.v20160210

9.2.16.v20160414

9.2.17.v20160517

9.2.18.v20160721

9.2.19.v20160908

9.2.20.v20161216

9.2.21.v20170120

Database specific

{
    "last_known_affected_version_range": "<= 9.2.21.v20170120"
}