Vulnerability Description
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
CVSS Score
7.5
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedoraproject | Fedora | 22 |
| Eclipse | Jetty | 9.2.3 |
Related Weaknesses (CWE)
References
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.htmlVendor Advisory
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.htmlVendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.htmlThird Party Advisory
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.htExploitThird Party Advisory
- http://seclists.org/fulldisclosure/2015/Mar/12ExploitThird Party Advisory
- http://www.securityfocus.com/archive/1/534755/100/1600/threaded
- http://www.securityfocus.com/bid/72768Broken Link
- http://www.securitytracker.com/id/1031800Third Party Advisory
- https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakageExploitThird Party Advisory
- https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-ExploitVendor Advisory
- https://security.netapp.com/advisory/ntap-20190307-0005/
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.htmlVendor Advisory
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.htmlVendor Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.htmlThird Party Advisory
- http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.htExploitThird Party Advisory
FAQ
What is CVE-2015-2080?
CVE-2015-2080 is a vulnerability with a CVSS score of 7.5 (HIGH). The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
How severe is CVE-2015-2080?
CVE-2015-2080 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-2080?
Check the references section above for vendor advisories and patch information. Affected products include: Fedoraproject Fedora, Eclipse Jetty.