First published: Fri Jun 16 2017(Updated: )
Jetty could allow a remote attacker to obtain sensitive information, caused by a timing channel flaw in util/security/Password.java. By observing elapsed times before rejection of incorrect passwords, an attacker could exploit this vulnerability to obtain access information.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.eclipse.jetty:jetty-server | <=9.2.21.v20170120 | 9.2.22.v20170606 |
maven/org.eclipse.jetty:jetty-server | >=9.3.0<=9.3.19.v20170502 | 9.3.20.v20170531 |
maven/org.eclipse.jetty:jetty-server | >=9.4.0<=9.4.5.v20170502 | 9.4.6.v20170531 |
Eclipse Jetty | <9.2.22 | |
Eclipse Jetty | >=9.3.0<9.3.20 | |
Eclipse Jetty | >=9.4.0<9.4.6 | |
Debian Debian Linux | =9.0 | |
Oracle Communications Cloud Native Core Policy | =1.5.0 | |
Oracle Enterprise Manager Base Platform | =13.2 | |
Oracle Enterprise Manager Base Platform | =13.3 | |
Oracle Hospitality Guest Access | =4.2.0 | |
Oracle Hospitality Guest Access | =4.2.1 | |
Oracle REST Data Services | =11.2.0.4 | |
Oracle REST Data Services | =12.1.0.2 | |
Oracle REST Data Services | =12.2.0.1 | |
Oracle REST Data Services | =18c | |
Oracle Retail Xstore Point of Service | =7.1 | |
Oracle Retail Xstore Point of Service | =15.0 | |
Oracle Retail Xstore Point of Service | =16.0 | |
Oracle Retail Xstore Point of Service | =17.0 | |
IBM GDE | <=3.0.0.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2017-9735 is a vulnerability in Jetty that allows a remote attacker to obtain sensitive information.
The severity of CVE-2017-9735 is high, with a severity value of 7.5.
The following software versions are affected: Jetty 9.2.21.v20170120 to 9.2.22.v20170606, Jetty 9.3.0 to 9.3.20.v20170531, Jetty 9.4.0 to 9.4.6.v20170531, and Eclipse Jetty.
By observing elapsed times before rejection of incorrect passwords, an attacker can exploit this vulnerability to obtain access information.
You can find more information about CVE-2017-9735 at the following references: [NVD](https://nvd.nist.gov/vuln/detail/CVE-2017-9735), [GitHub](https://github.com/eclipse/jetty.project/issues/1556), [Debian Bug Tracker](https://bugs.debian.org/864631).