Vulnerability Details CVE-2017-9735
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 66.1%
CVSS Severity
CVSS v3 Score 7.5
CVSS v2 Score 5.0
References
- http://www.securityfocus.com/bid/99104
- https://bugs.debian.org/864631
- https://github.com/eclipse/jetty.project/issues/1556
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://www.securityfocus.com/bid/99104
- https://bugs.debian.org/864631
- https://github.com/eclipse/jetty.project/issues/1556
- https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2017-9735
-
cpe:2.3:a:eclipse:jetty:1.0
-
cpe:2.3:a:eclipse:jetty:1.0.1
-
cpe:2.3:a:eclipse:jetty:1.1
-
cpe:2.3:a:eclipse:jetty:1.1.1
-
cpe:2.3:a:eclipse:jetty:1.3
-
cpe:2.3:a:eclipse:jetty:1.3.0
-
cpe:2.3:a:eclipse:jetty:3.0.0
-
cpe:2.3:a:eclipse:jetty:4.1.0
-
cpe:2.3:a:eclipse:jetty:4.2.20
-
cpe:2.3:a:eclipse:jetty:4.2.21
-
cpe:2.3:a:eclipse:jetty:4.2.23
-
cpe:2.3:a:eclipse:jetty:4.2.24
-
cpe:2.3:a:eclipse:jetty:4.2.25
-
cpe:2.3:a:eclipse:jetty:4.2.26
-
cpe:2.3:a:eclipse:jetty:4.2.27
-
cpe:2.3:a:eclipse:jetty:5.0.0
-
cpe:2.3:a:eclipse:jetty:5.1.0
-
cpe:2.3:a:eclipse:jetty:5.1.1
-
cpe:2.3:a:eclipse:jetty:5.1.10
-
cpe:2.3:a:eclipse:jetty:5.1.11
-
cpe:2.3:a:eclipse:jetty:5.1.12
-
cpe:2.3:a:eclipse:jetty:5.1.2
-
cpe:2.3:a:eclipse:jetty:5.1.3
-
cpe:2.3:a:eclipse:jetty:5.1.4
-
cpe:2.3:a:eclipse:jetty:5.1.5
-
cpe:2.3:a:eclipse:jetty:5.1.6
-
cpe:2.3:a:eclipse:jetty:5.1.7
-
cpe:2.3:a:eclipse:jetty:5.1.8
-
cpe:2.3:a:eclipse:jetty:5.1.9
-
cpe:2.3:a:eclipse:jetty:6.0.0
-
cpe:2.3:a:eclipse:jetty:6.0.1
-
cpe:2.3:a:eclipse:jetty:6.0.2
-
cpe:2.3:a:eclipse:jetty:6.1.0
-
cpe:2.3:a:eclipse:jetty:6.1.1
-
cpe:2.3:a:eclipse:jetty:6.1.10
-
cpe:2.3:a:eclipse:jetty:6.1.11
-
cpe:2.3:a:eclipse:jetty:6.1.12
-
cpe:2.3:a:eclipse:jetty:6.1.14
-
cpe:2.3:a:eclipse:jetty:6.1.15
-
cpe:2.3:a:eclipse:jetty:6.1.16
-
cpe:2.3:a:eclipse:jetty:6.1.17
-
cpe:2.3:a:eclipse:jetty:6.1.18
-
cpe:2.3:a:eclipse:jetty:6.1.19
-
cpe:2.3:a:eclipse:jetty:6.1.2
-
cpe:2.3:a:eclipse:jetty:6.1.20
-
cpe:2.3:a:eclipse:jetty:6.1.21
-
cpe:2.3:a:eclipse:jetty:6.1.22
-
cpe:2.3:a:eclipse:jetty:6.1.23
-
cpe:2.3:a:eclipse:jetty:6.1.24
-
cpe:2.3:a:eclipse:jetty:6.1.25
-
cpe:2.3:a:eclipse:jetty:6.1.26
-
cpe:2.3:a:eclipse:jetty:6.1.3
-
cpe:2.3:a:eclipse:jetty:6.1.4
-
cpe:2.3:a:eclipse:jetty:6.1.5
-
cpe:2.3:a:eclipse:jetty:6.1.6
-
cpe:2.3:a:eclipse:jetty:6.1.7
-
cpe:2.3:a:eclipse:jetty:6.1.8
-
cpe:2.3:a:eclipse:jetty:6.1.9
-
cpe:2.3:a:eclipse:jetty:7.0.0
-
cpe:2.3:a:eclipse:jetty:7.0.1
-
cpe:2.3:a:eclipse:jetty:7.0.2
-
cpe:2.3:a:eclipse:jetty:7.1.0
-
cpe:2.3:a:eclipse:jetty:7.1.1
-
cpe:2.3:a:eclipse:jetty:7.1.2
-
cpe:2.3:a:eclipse:jetty:7.1.3
-
cpe:2.3:a:eclipse:jetty:7.1.4
-
cpe:2.3:a:eclipse:jetty:7.1.5
-
cpe:2.3:a:eclipse:jetty:7.1.6
-
cpe:2.3:a:eclipse:jetty:7.2.0
-
cpe:2.3:a:eclipse:jetty:7.2.1
-
cpe:2.3:a:eclipse:jetty:7.2.2
-
cpe:2.3:a:eclipse:jetty:7.3.0
-
cpe:2.3:a:eclipse:jetty:7.3.1
-
cpe:2.3:a:eclipse:jetty:7.4.0
-
cpe:2.3:a:eclipse:jetty:7.4.1
-
cpe:2.3:a:eclipse:jetty:7.4.2
-
cpe:2.3:a:eclipse:jetty:7.4.3
-
cpe:2.3:a:eclipse:jetty:7.4.4
-
cpe:2.3:a:eclipse:jetty:7.4.5
-
cpe:2.3:a:eclipse:jetty:7.5.0
-
cpe:2.3:a:eclipse:jetty:7.5.1
-
cpe:2.3:a:eclipse:jetty:7.5.2
-
cpe:2.3:a:eclipse:jetty:7.5.3
-
cpe:2.3:a:eclipse:jetty:7.5.4
-
cpe:2.3:a:eclipse:jetty:7.6.0
-
cpe:2.3:a:eclipse:jetty:7.6.1
-
cpe:2.3:a:eclipse:jetty:7.6.10
-
cpe:2.3:a:eclipse:jetty:7.6.11
-
cpe:2.3:a:eclipse:jetty:7.6.12
-
cpe:2.3:a:eclipse:jetty:7.6.13
-
cpe:2.3:a:eclipse:jetty:7.6.14
-
cpe:2.3:a:eclipse:jetty:7.6.15
-
cpe:2.3:a:eclipse:jetty:7.6.16
-
cpe:2.3:a:eclipse:jetty:7.6.17
-
cpe:2.3:a:eclipse:jetty:7.6.18
-
cpe:2.3:a:eclipse:jetty:7.6.19
-
cpe:2.3:a:eclipse:jetty:7.6.2
-
cpe:2.3:a:eclipse:jetty:7.6.20
-
cpe:2.3:a:eclipse:jetty:7.6.21
-
cpe:2.3:a:eclipse:jetty:7.6.3
-
cpe:2.3:a:eclipse:jetty:7.6.4
-
cpe:2.3:a:eclipse:jetty:7.6.5
-
cpe:2.3:a:eclipse:jetty:7.6.6
-
cpe:2.3:a:eclipse:jetty:7.6.7
-
cpe:2.3:a:eclipse:jetty:7.6.8
-
cpe:2.3:a:eclipse:jetty:7.6.9
-
cpe:2.3:a:eclipse:jetty:8-historical
-
cpe:2.3:a:eclipse:jetty:8.0.0
-
cpe:2.3:a:eclipse:jetty:8.0.1
-
cpe:2.3:a:eclipse:jetty:8.0.2
-
cpe:2.3:a:eclipse:jetty:8.0.3
-
cpe:2.3:a:eclipse:jetty:8.0.4
-
cpe:2.3:a:eclipse:jetty:8.1.0
-
cpe:2.3:a:eclipse:jetty:8.1.1
-
cpe:2.3:a:eclipse:jetty:8.1.10
-
cpe:2.3:a:eclipse:jetty:8.1.11
-
cpe:2.3:a:eclipse:jetty:8.1.12
-
cpe:2.3:a:eclipse:jetty:8.1.13
-
cpe:2.3:a:eclipse:jetty:8.1.14
-
cpe:2.3:a:eclipse:jetty:8.1.15
-
cpe:2.3:a:eclipse:jetty:8.1.16
-
cpe:2.3:a:eclipse:jetty:8.1.17
-
cpe:2.3:a:eclipse:jetty:8.1.18
-
cpe:2.3:a:eclipse:jetty:8.1.19
-
cpe:2.3:a:eclipse:jetty:8.1.2
-
cpe:2.3:a:eclipse:jetty:8.1.20
-
cpe:2.3:a:eclipse:jetty:8.1.21
-
cpe:2.3:a:eclipse:jetty:8.1.22
-
cpe:2.3:a:eclipse:jetty:8.1.3
-
cpe:2.3:a:eclipse:jetty:8.1.4
-
cpe:2.3:a:eclipse:jetty:8.1.5
-
cpe:2.3:a:eclipse:jetty:8.1.6
-
cpe:2.3:a:eclipse:jetty:8.1.7
-
cpe:2.3:a:eclipse:jetty:8.1.8
-
cpe:2.3:a:eclipse:jetty:8.1.9
-
cpe:2.3:a:eclipse:jetty:8.2.0
-
cpe:2.3:a:eclipse:jetty:9.0.0
-
cpe:2.3:a:eclipse:jetty:9.0.1
-
cpe:2.3:a:eclipse:jetty:9.0.2
-
cpe:2.3:a:eclipse:jetty:9.0.3
-
cpe:2.3:a:eclipse:jetty:9.0.4
-
cpe:2.3:a:eclipse:jetty:9.0.5
-
cpe:2.3:a:eclipse:jetty:9.0.6
-
cpe:2.3:a:eclipse:jetty:9.0.7
-
cpe:2.3:a:eclipse:jetty:9.1.0
-
cpe:2.3:a:eclipse:jetty:9.1.1
-
cpe:2.3:a:eclipse:jetty:9.1.2
-
cpe:2.3:a:eclipse:jetty:9.1.3
-
cpe:2.3:a:eclipse:jetty:9.1.4
-
cpe:2.3:a:eclipse:jetty:9.1.5
-
cpe:2.3:a:eclipse:jetty:9.1.6
-
cpe:2.3:a:eclipse:jetty:9.2.0
-
cpe:2.3:a:eclipse:jetty:9.2.1
-
cpe:2.3:a:eclipse:jetty:9.2.10
-
cpe:2.3:a:eclipse:jetty:9.2.11
-
cpe:2.3:a:eclipse:jetty:9.2.12
-
cpe:2.3:a:eclipse:jetty:9.2.13
-
cpe:2.3:a:eclipse:jetty:9.2.14
-
cpe:2.3:a:eclipse:jetty:9.2.15
-
cpe:2.3:a:eclipse:jetty:9.2.16
-
cpe:2.3:a:eclipse:jetty:9.2.17
-
cpe:2.3:a:eclipse:jetty:9.2.18
-
cpe:2.3:a:eclipse:jetty:9.2.19
-
cpe:2.3:a:eclipse:jetty:9.2.2
-
cpe:2.3:a:eclipse:jetty:9.2.20
-
cpe:2.3:a:eclipse:jetty:9.2.21
-
cpe:2.3:a:eclipse:jetty:9.2.3
-
cpe:2.3:a:eclipse:jetty:9.2.4
-
cpe:2.3:a:eclipse:jetty:9.2.5
-
cpe:2.3:a:eclipse:jetty:9.2.6
-
cpe:2.3:a:eclipse:jetty:9.2.7
-
cpe:2.3:a:eclipse:jetty:9.2.8
-
cpe:2.3:a:eclipse:jetty:9.2.9
-
cpe:2.3:a:eclipse:jetty:9.3.0
-
cpe:2.3:a:eclipse:jetty:9.3.1
-
cpe:2.3:a:eclipse:jetty:9.3.10
-
cpe:2.3:a:eclipse:jetty:9.3.11
-
cpe:2.3:a:eclipse:jetty:9.3.12
-
cpe:2.3:a:eclipse:jetty:9.3.13
-
cpe:2.3:a:eclipse:jetty:9.3.14
-
cpe:2.3:a:eclipse:jetty:9.3.15
-
cpe:2.3:a:eclipse:jetty:9.3.16
-
cpe:2.3:a:eclipse:jetty:9.3.17
-
cpe:2.3:a:eclipse:jetty:9.3.18
-
cpe:2.3:a:eclipse:jetty:9.3.19
-
cpe:2.3:a:eclipse:jetty:9.3.2
-
cpe:2.3:a:eclipse:jetty:9.3.3
-
cpe:2.3:a:eclipse:jetty:9.3.4
-
cpe:2.3:a:eclipse:jetty:9.3.5
-
cpe:2.3:a:eclipse:jetty:9.3.6
-
cpe:2.3:a:eclipse:jetty:9.3.7
-
cpe:2.3:a:eclipse:jetty:9.3.8
-
cpe:2.3:a:eclipse:jetty:9.3.9
-
cpe:2.3:a:eclipse:jetty:9.4.0
-
cpe:2.3:a:eclipse:jetty:9.4.1
-
cpe:2.3:a:eclipse:jetty:9.4.2
-
cpe:2.3:a:eclipse:jetty:9.4.3
-
cpe:2.3:a:eclipse:jetty:9.4.4
-
cpe:2.3:a:eclipse:jetty:9.4.5
-
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.5.0
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2
-
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3
-
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0
-
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1
-
cpe:2.3:a:oracle:rest_data_services:11.2.0.4
-
cpe:2.3:a:oracle:rest_data_services:12.1.0.2
-
cpe:2.3:a:oracle:rest_data_services:12.2.0.1
-
cpe:2.3:a:oracle:rest_data_services:18c
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0
-
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1
-
cpe:2.3:o:debian:debian_linux:9.0