Arbitrary Command Execution Affecting org.mortbay.jetty:jetty package, versions [6.0.0,6.1.22) [7.0.0,]
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGMORTBAYJETTY-32091
- published 19 Feb 2018
- disclosed 13 Jan 2010
- credit Unknown
Introduced: 13 Jan 2010
CVE-2009-4611 Open this link in a new tabHow to fix?
A patch was released on version 6.1.22
.
There is no fix for version 7.0.0
.
Overview
org.mortbay.jetty:jetty is an open-source project providing a HTTP server, HTTP client and javax.servlet container.
Affected versions of this package are vulnerable to Arbitrary Command Execution. It writes backtrace data without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator, related to (1) a string value in the Age parameter to the default URI for the Cookie Dump Servlet in test-jetty-webapp/src/main/java/com/acme/CookieDump.java under cookie/, (2) an alphabetic value in the A parameter to jsp/expr.jsp, or (3) an alphabetic value in the Content-Length HTTP header to an arbitrary application.