CVE-2016-4800

Published on: 04/13/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:26:57 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Jetty from Eclipse contain the following vulnerability:

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

  • CVE-2016-4800 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
oCERT.org - oCERT Advisories Mitigation
Patch
Third Party Advisory
www.ocert.org
text/xml
URL Logo MISC www.ocert.org/advisories/ocert-2016-001.html
Oracle Critical Patch Update Advisory - October 2020 www.oracle.com
text/html
URL Logo MISC www.oracle.com/security-alerts/cpuoct2020.html
Jetty CVE-2016-4800 Security Bypass Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 90945
[jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-480 Patch
Vendor Advisory
dev.eclipse.org
text/html
URL Logo MLIST [jetty-announce] 20160531 [jetty-announce] Jetty 9.3.x/Windows Security Vulnerability CVE-2016-4800
CVE-2016-4800 Eclipse Jetty Vulnerability in NetApp Products | NetApp Product Security security.netapp.com
text/html
URL Logo CONFIRM security.netapp.com/advisory/ntap-20190307-0006/
Zero Day Initiative Third Party Advisory
VDB Entry
www.zerodayinitiative.com
text/html
URL Logo MISC www.zerodayinitiative.com/advisories/ZDI-16-362

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationEclipseJetty9.3.0AllAllAll
ApplicationEclipseJetty9.3.0m0AllAll
ApplicationEclipseJetty9.3.0m1AllAll
ApplicationEclipseJetty9.3.0maintenance2AllAll
ApplicationEclipseJetty9.3.0rc0AllAll
ApplicationEclipseJetty9.3.0rc1AllAll
ApplicationEclipseJetty9.3.1AllAllAll
ApplicationEclipseJetty9.3.2AllAllAll
ApplicationEclipseJetty9.3.3AllAllAll
ApplicationEclipseJetty9.3.4AllAllAll
ApplicationEclipseJetty9.3.4rc0AllAll
ApplicationEclipseJetty9.3.4rc1AllAll
ApplicationEclipseJetty9.3.5AllAllAll
ApplicationEclipseJetty9.3.6AllAllAll
ApplicationEclipseJetty9.3.7AllAllAll
ApplicationEclipseJetty9.3.7rc0AllAll
ApplicationEclipseJetty9.3.7rc1AllAll
ApplicationEclipseJetty9.3.8AllAllAll
ApplicationEclipseJetty9.3.8rc0AllAll
ApplicationEclipseJetty9.3.0AllAllAll
ApplicationEclipseJetty9.3.0m0AllAll
ApplicationEclipseJetty9.3.0m1AllAll
ApplicationEclipseJetty9.3.0maintenance2AllAll
ApplicationEclipseJetty9.3.0rc0AllAll
ApplicationEclipseJetty9.3.0rc1AllAll
ApplicationEclipseJetty9.3.1AllAllAll
ApplicationEclipseJetty9.3.2AllAllAll
ApplicationEclipseJetty9.3.3AllAllAll
ApplicationEclipseJetty9.3.4AllAllAll
ApplicationEclipseJetty9.3.4rc0AllAll
ApplicationEclipseJetty9.3.4rc1AllAll
ApplicationEclipseJetty9.3.5AllAllAll
ApplicationEclipseJetty9.3.6AllAllAll
ApplicationEclipseJetty9.3.7AllAllAll
ApplicationEclipseJetty9.3.7rc0AllAll
ApplicationEclipseJetty9.3.7rc1AllAll
ApplicationEclipseJetty9.3.8AllAllAll
ApplicationEclipseJetty9.3.8rc0AllAll
Operating
System
MicrosoftWindowsAllAllAllAll
Operating
System
MicrosoftWindowsAllAllAllAll
  • cpe:2.3:a:eclipse:jetty:9.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:m0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:m1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:m0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:m1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:maintenance2:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.0:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.4:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.6:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:rc0:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.7:rc1:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.8:*:*:*:*:*:*:*:
  • cpe:2.3:a:eclipse:jetty:9.3.8:rc0:*:*:*:*:*:*:
  • cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*:
  • cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*: