CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
99.4%
The remote instance of Jetty is affected by a remote memory disclosure vulnerability in the HttpParser module due to incorrect handling of illegal characters in header values. When an illegal character is encountered in an HTTP request, Jetty writes a response in a shared buffer that was used in a previous request. Jetty’s response to the client includes this shared buffer which contains potentially sensitive data from the previous request. An attacker, using specially crafted requests containing variable length strings of illegal characters, can steal sensitive header data (e.g. cookies, authentication tokens) or sensitive POST data (e.g. credentials).
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(81576);
script_version("1.7");
script_cvs_date("Date: 2019/11/26");
script_cve_id("CVE-2015-2080");
script_bugtraq_id(72768);
script_name(english:"Jetty HttpParser Error Remote Memory Disclosure");
script_summary(english:"Checks for a remote memory disclosure flaw.");
script_set_attribute(attribute:"synopsis", value:
"The remote web server is affected by a remote memory disclosure
vulnerability.");
script_set_attribute(attribute:"description", value:
"The remote instance of Jetty is affected by a remote memory disclosure
vulnerability in the HttpParser module due to incorrect handling of
illegal characters in header values. When an illegal character is
encountered in an HTTP request, Jetty writes a response in a shared
buffer that was used in a previous request. Jetty's response to the
client includes this shared buffer which contains potentially
sensitive data from the previous request. An attacker, using specially
crafted requests containing variable length strings of illegal
characters, can steal sensitive header data (e.g. cookies,
authentication tokens) or sensitive POST data (e.g. credentials).");
# https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b8e07913");
script_set_attribute(attribute:"see_also", value:"https://bugs.eclipse.org/bugs/show_bug.cgi?id=460642");
# https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f918c477");
script_set_attribute(attribute:"solution", value:
"Upgrade to Jetty 9.2.9.v20150224 or later. For Jetty 9.3.x, contact
the vendor for a solution.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-2080");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/02/24");
script_set_attribute(attribute:"patch_publication_date", value:"2015/02/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/02/27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:mortbay:jetty");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_ports("Services/www", 8080);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("audit.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default: 8080);
# Unless we're paranoid, make sure the banner looks like Jetty.
if (report_paranoia < 2)
{
banner = get_http_banner(port:port);
if (isnull(banner) || "Server: Jetty(" >!< banner)
audit(AUDIT_WRONG_WEB_SERVER, port, "Jetty");
}
response = http_send_recv3(
method: "GET",
item:"/",
port:port,
add_headers: make_array("Nessus-Header", '\x00')
);
if (isnull(response))
audit(AUDIT_RESP_NOT, port, "HTTP GET");
if ("Illegal character 0x0 in state" >!< response[0])
audit(AUDIT_LISTEN_NOT_VULN, "web server", port);
request = http_last_sent_request();
request = str_replace(string:request, find:'\x00', replace:"\x00", count:1);
security_report_v4(
port : port,
severity : SECURITY_WARNING,
generic : TRUE,
line_limit : 5,
request : make_list(request),
output : data_protection::sanitize_user_full_redaction(output:chomp(response[0]))
);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
99.4%