Jetty contains an alias issue that could allow unauthenticated remote code execution due to specially crafted request

GHSA-872g-2h8h-362q · CVE-2016-4800

Published Oct 19, 2018 · Modified Feb 16, 2024

Description

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2016-4800
ADVISORY https://github.com/advisories/GHSA-872g-2h8h-362q
WEB https://security.netapp.com/advisory/ntap-20190307-0006
WEB https://www.oracle.com/security-alerts/cpuoct2020.html
WEB http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html
WEB http://www.ocert.org/advisories/ocert-2016-001.html
WEB http://www.securityfocus.com/bid/90945
WEB http://www.zerodayinitiative.com/advisories/ZDI-16-362

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes