Vulnerability Description
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eclipse | Jetty | 9.3.0 |
| Microsoft | Windows | All versions |
Related Weaknesses (CWE)
References
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.htmlPatchVendor Advisory
- http://www.ocert.org/advisories/ocert-2016-001.htmlMitigationPatchThird Party Advisory
- http://www.securityfocus.com/bid/90945Third Party AdvisoryVDB Entry
- http://www.zerodayinitiative.com/advisories/ZDI-16-362Third Party AdvisoryVDB Entry
- https://security.netapp.com/advisory/ntap-20190307-0006/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.htmlPatchVendor Advisory
- http://www.ocert.org/advisories/ocert-2016-001.htmlMitigationPatchThird Party Advisory
- http://www.securityfocus.com/bid/90945Third Party AdvisoryVDB Entry
- http://www.zerodayinitiative.com/advisories/ZDI-16-362Third Party AdvisoryVDB Entry
- https://security.netapp.com/advisory/ntap-20190307-0006/
- https://www.oracle.com/security-alerts/cpuoct2020.html
FAQ
What is CVE-2016-4800?
CVE-2016-4800 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints v...
How severe is CVE-2016-4800?
CVE-2016-4800 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2016-4800?
Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Jetty, Microsoft Windows.