CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Published: Jun 16, 2017
Updated: Nov 8, 2023
CVE: CVE-2017-9735
GHSA: GHSA-wfcc-pff6-rgc5
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
eclipse / jetty	9.4.0	9.4.6
eclipse / jetty	9.3.0	9.3.20
eclipse / jetty	-	9.2.22
debian / debian_linux	9.0	9.0.x
oracle / retail_xstore_point_of_service	15.0	15.0.x
oracle / retail_xstore_point_of_service	7.1	7.1.x
oracle / hospitality_guest_access	4.2.0	4.2.0.x
oracle / hospitality_guest_access	4.2.1	4.2.1.x
oracle / retail_xstore_point_of_service	16.0	16.0.x
oracle / enterprise_manager_base_platform	13.3	13.3.x
oracle / enterprise_manager_base_platform	13.2	13.2.x
oracle / retail_xstore_point_of_service	17.0	17.0.x
oracle / rest_data_services	12.2.0.1	12.2.0.1.x
oracle / rest_data_services	12.1.0.2	12.1.0.2.x
oracle / rest_data_services	11.2.0.4	11.2.0.4.x
oracle / rest_data_services	18c	18c.x
oracle / communications_cloud_native_core_policy	1.5.0	1.5.0.x
org.eclipse.jetty / jetty-server	9.4.0	9.4.6.v20170531
org.eclipse.jetty / jetty-server	9.3.0	9.3.20.v20170531
org.eclipse.jetty / jetty-server	9.2.0	9.2.22.v20170606

Vulnerability Database

289,599

CVE-2017-9735