CVE-2007-6672 - Path Traversal vulnerability in Mortbay Jetty 6.1.5/6.1.6

Publication

2008-01-08

Last modification

2012-10-30

Summary

Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/' (slash) characters in the URI.

Description

Jetty is prone to an information-disclosure vulnerability because it fails to sufficiently sanitize user-supplied input.An attacker can exploit this issue to view private directories or files within the context of the webserver process. Information obtained may lead to other attacks. This issue affects Jetty 6.1.5 and 6.1.6.

Solution

The vendor released an update to address this issue. Please see the references for more information. Jetty Jetty 6.1.6 Cuyahoga jetty-6.1.7.zip http://dist.codehaus.org/jetty/jetty-6.1.7/jetty-6.1.7.zip Jetty Jetty 6.1.5 Cuyahoga jetty-6.1.7.zip http://dist.codehaus.org/jetty/jetty-6.1.7/jetty-6.1.7.zip

Exploit

Attackers can exploit this vulnerability with a browser.

Classification

CWE-22 - Path Traversal

Risk level (CVSS AV:N/AC:L/Au:N/C:P/I:N/A:N)

Medium

5.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Mortbay Jetty Jetty  6.1.5 , 6.1.6