Mort Bay Jetty < 6.1.17 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 5017

Synopsis

The remote host is vulnerable to multiple attack vectors

Description

The remote instance of Mort Bay Jetty is vulnerable to a number of flaws. First, the application is vulnerable to a cross-site-scripting flaw when displaying web directory listings. Secondly, the application is prone to an information disclosure flaw which can be used to read files outside the web root. Note: in order for the second flaw to be executed, Jetty must have been configured to have DefaultServlet with support for aliases turned on.

Solution

Upgrade to Mort Bay Jetty 6.1.17 or later.

See Also

http://www.kb.cert.org/vuls/id/402580

Plugin Details

Severity: Medium

ID: 5017

Family: Web Servers

Published: 8/18/2004

Updated: 3/6/2019

Nessus ID: 47897

Risk Information

VPR

Risk Factor: Medium

Score: 4.6

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:mortbay:jetty

Exploitable With

Core Impact

Reference Information

CVE: CVE-2009-1523, CVE-2009-1524

BID: 34800