Jetty CVE-2015-2080 Information Disclosure Vulnerability

Jetty is prone to an information-disclosure vulnerability.

Successfully exploiting this issue may allow an attacker to obtain sensitive information that may aid in further attacks.

Information

Bugtraq ID: 72768
Class: Design Error
CVE: CVE-2015-2080

Remote: Yes
Local: No
Published: Feb 24 2015 12:00AM
Updated: Feb 24 2015 12:00AM
Credit: Gotham Digital Science and Stephen Komal
Vulnerable: The Eclipse Foundation Jetty 9.3.0.M1
The Eclipse Foundation Jetty 9.3.0.M0
The Eclipse Foundation Jetty 9.2.8.v20150217
The Eclipse Foundation Jetty 9.2.7.v20150116
The Eclipse Foundation Jetty 9.2.6.v20141205
The Eclipse Foundation Jetty 9.2.5.v20141112
The Eclipse Foundation Jetty 9.2.4.v20141103
The Eclipse Foundation Jetty 9.2.3.v20140905

Not Vulnerable: The Eclipse Foundation Jetty 9.2.9.v20150224

Exploit

An attacker can exploit this issue using a readily available tools.

References:

• HttpParser Error Buffer Bleed Vulnerability (Jetty)
  
• JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE (Jetty)
  
• Jetty Home Page (The Eclipse Foundation)
  
• 2018-04 Security Bulletin: Steel-Belted Radius (SBR) Carrier: Eclipse Jetty info (Juniper.net)
  

Source: www.securityfocus.com