CVE-2017-9735

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 16-06-2017 11:29

Last modified: - 15-03-2022 03:55

Total changes: - 4

Description

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

High

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=eclipse AND product=jetty AND versionEndExcluding=9.2.22

vendor=eclipse AND product=jetty AND versionStartIncluding=9.3.0 AND versionEndExcluding=9.3.20

vendor=eclipse AND product=jetty AND versionStartIncluding=9.4.0 AND versionEndExcluding=9.4.6

vendor=Debian AND product=debian_linux AND version=9.0

vendor=oracle AND product=communications_cloud_native_core_policy AND version=1.5.0

vendor=oracle AND product=enterprise_manager_base_platform AND version=13.2

vendor=oracle AND product=enterprise_manager_base_platform AND version=13.3

vendor=oracle AND product=hospitality_guest_access AND version=4.2.0

vendor=oracle AND product=hospitality_guest_access AND version=4.2.1

vendor=oracle AND product=rest_data_services AND version=11.2.0.4 AND software_edition=-

vendor=oracle AND product=rest_data_services AND version=12.1.0.2 AND software_edition=-

vendor=oracle AND product=rest_data_services AND version=12.2.0.1 AND software_edition=-

vendor=oracle AND product=rest_data_services AND version=18c AND software_edition=-

vendor=oracle AND product=retail_xstore_point_of_service AND version=7.1

vendor=oracle AND product=retail_xstore_point_of_service AND version=15.0

vendor=oracle AND product=retail_xstore_point_of_service AND version=16.0

vendor=oracle AND product=retail_xstore_point_of_service AND version=17.0

Reference

https://github.com/eclipse/jetty.project/issues/1556
https://bugs.debian.org/864631
99104-Third Party Advisory, VDB Entry
[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1-Mailing List, Third Party Advisory
[activemq-issues] 20190820 [jira] [Created] (AMQ-7279) Security Vulnerabilities in Libraries - jackson-databind-2.9.8.jar, tomcat-servlet-api-8.0.53.jar, tomcat-websocket-api-8.0.53.jar, zookeeper-3.4.6.jar, guava-18.0.jar, jetty-all-9.2.26.v20180806.jar, scala-library-2.11.0.jar-Mailing List, Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Third Party Advisory
[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities-Mailing List, Third Party Advisory
[hadoop-common-dev] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade-Mailing List, Third Party Advisory
[hadoop-common-issues] 20191030 [jira] [Created] (HADOOP-16676) Security Vulnerability for dependency jetty-xml -please upgrade-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html
[debian-lts-announce] 20210514 [SECURITY] [DLA 2661-1] jetty9 security update-Mailing List, Third Party Advisory
N/A-Third Party Advisory

Keywords

CVE-2017-9735

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2017-9735

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures