CVE-2015-2080

HIGH NUCLEI

Fedora < 9.2.9.v20150224 - Information Disclosure

Title source: rule

Description

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textremotemultiple

https://www.exploit-db.com/exploits/39455

View Code ZIP pw:eip

Nuclei Templates (1)

Eclipse Jetty <9.2.9.v20150224 - Sensitive Information Leakage

HIGHby pikpikcu

Shodan: cpe:"cpe:2.3:o:fedoraproject:fedora"

References (11)

[Vendor Advisory] http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html

[Vendor Advisory] http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html

[Third Party Advisory] http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html

[Exploit, Third Party Advisory] http://seclists.org/fulldisclosure/2015/Mar/12

[Broken Link] http://www.securityfocus.com/bid/72768

[Third Party Advisory] http://www.securitytracker.com/id/1031800

[Exploit, Third Party Advisory] https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html

[Exploit, Vendor Advisory] https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20190307-0005/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/534755/100/1600/threaded

Scores

CVSS v3 7.5

EPSS 0.9241

EPSS Percentile 99.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-200

Status published

Products (9)

eclipse/jetty 9.2.3

eclipse/jetty 9.2.4

eclipse/jetty 9.2.5

eclipse/jetty 9.2.6

eclipse/jetty 9.2.7

eclipse/jetty 9.2.8

eclipse/jetty 9.3.0 m0 (2 CPE variants)

fedoraproject/fedora 22

org.eclipse.jetty/jetty-server 0 - 9.2.9.v20150224Maven

Published Oct 07, 2016

Tracked Since Feb 18, 2026