CVE-2016-4800
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
| Software | From | Fixed in |
|---|---|---|
| eclipse / jetty | 9.3.0-m0 | 9.3.0-m0.x |
| eclipse / jetty | 9.3.0-rc0 | 9.3.0-rc0.x |
| eclipse / jetty | 9.3.0-m1 | 9.3.0-m1.x |
| eclipse / jetty | 9.3.0 | 9.3.0.x |
| eclipse / jetty | 9.3.0-rc1 | 9.3.0-rc1.x |
| eclipse / jetty | 9.3.0-maintenance2 | 9.3.0-maintenance2.x |
| eclipse / jetty | 9.3.1 | 9.3.1.x |
| eclipse / jetty | 9.3.2 | 9.3.2.x |
| eclipse / jetty | 9.3.3 | 9.3.3.x |
| eclipse / jetty | 9.3.4 | 9.3.4.x |
| eclipse / jetty | 9.3.4-rc1 | 9.3.4-rc1.x |
| eclipse / jetty | 9.3.4-rc0 | 9.3.4-rc0.x |
| eclipse / jetty | 9.3.5 | 9.3.5.x |
| eclipse / jetty | 9.3.6 | 9.3.6.x |
| eclipse / jetty | 9.3.7-rc1 | 9.3.7-rc1.x |
| eclipse / jetty | 9.3.7 | 9.3.7.x |
| eclipse / jetty | 9.3.7-rc0 | 9.3.7-rc0.x |
| eclipse / jetty | 9.3.8 | 9.3.8.x |
| eclipse / jetty | 9.3.8-rc0 | 9.3.8-rc0.x |
org.eclipse.jetty / jetty-server
|
9.3.0 | 9.3.9 |
- http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html
- http://www.ocert.org/advisories/ocert-2016-001.html
- http://www.securityfocus.com/bid/90945
- http://www.zerodayinitiative.com/advisories/ZDI-16-362
- https://security.netapp.com/advisory/ntap-20190307-0006/
- https://www.oracle.com/security-alerts/cpuoct2020.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime