CVE-2009-1523

Mortbay Jetty < 6.1.16 - Path Traversal

Title source: rule

Description

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Alexey Sintsov · textremotewindows

https://www.exploit-db.com/exploits/36318

View Code ZIP pw:eip

exploitdb WRITEUP

remotewindows

https://www.exploit-db.com/exploits/18138

View Code ZIP pw:eip

References (19)

[Various Sources] http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02282388

[Various Sources] http://jira.codehaus.org/browse/JETTY-1004

[Vendor Advisory] http://secunia.com/advisories/34975

[Vendor Advisory] http://secunia.com/advisories/35143

[Vendor Advisory] http://secunia.com/advisories/35225

[Vendor Advisory] http://secunia.com/advisories/35776

[Vendor Advisory] http://secunia.com/advisories/40553

[US Government Resource] http://www.kb.cert.org/vuls/id/402580

[Third Party Advisory, US Government Resource] http://www.kb.cert.org/vuls/id/CRDY-7RKQCY

[Vendor Advisory] http://www.oracle.com/technetwork/topics/security/cpujul2009-091332.html

[Vendor Advisory] http://www.vupen.com/english/advisories/2009/1900

[Vendor Advisory] http://www.vupen.com/english/advisories/2010/1792

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=499867

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01257.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01259.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-May/msg01262.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/34800

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/35675

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id?1022563

Scores

EPSS 0.1218

EPSS Percentile 93.9%

Details

CWE

CWE-22

Status published

Products (41)

mortbay/jetty 1.0

mortbay/jetty 1.0.1

mortbay/jetty 1.1

mortbay/jetty 1.1.1

mortbay/jetty 1.2.0

mortbay/jetty 1.3.0

mortbay/jetty 1.3.1

mortbay/jetty 1.3.2

mortbay/jetty 1.3.3

mortbay/jetty 1.3.4

... and 31 more

Published May 05, 2009

Tracked Since Feb 18, 2026