<p>A patch was released on version <code>6.1.22</code>. There is no fix for version <code>7.0.0</code>.</p>

Arbitrary Command Execution Affecting org.mortbay.jetty:jetty package, versions [6.0.0,6.1.22) [7.0.0,]

Snyk CVSS

Attack Complexity Low

Threat Intelligence

EPSS 1.12% (85^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGMORTBAYJETTY-32091
published 19 Feb 2018
disclosed 13 Jan 2010
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 13 Jan 2010

CVE-2009-4611 Open this link in a new tab CWE-20 Open this link in a new tab

How to fix?

A patch was released on version 6.1.22. There is no fix for version 7.0.0.

Overview

org.mortbay.jetty:jetty is an open-source project providing a HTTP server, HTTP client and javax.servlet container.

Affected versions of this package are vulnerable to Arbitrary Command Execution. It writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.