CVE-2017-9735

HIGH

Jetty < 9.2.22 and 9.4.0-9.4.6.v20170531 - Timing Attack via Password Validation

Title source: llm

Description

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

References (13)

Core 13

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/99104

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E

Patch, Third Party Advisory x_refsource_misc

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Third Party Advisory x_refsource_misc

https://www.oracle.com/security-alerts/cpuoct2020.html

Issue Tracking, Mailing List, Third Party Advisory x_refsource_misc

https://bugs.debian.org/864631

Issue Tracking, Patch, Third Party Advisory x_refsource_misc

https://github.com/eclipse/jetty.project/issues/1556

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html

Third Party Advisory x_refsource_misc

https://www.oracle.com//security-alerts/cpujul2021.html

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E

Scores

CVSS v3 7.5

EPSS 0.0084

EPSS Percentile 75.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-203

Status published

Products (16)

debian/debian_linux 9.0

eclipse/jetty < 9.2.22

oracle/communications_cloud_native_core_policy 1.5.0

oracle/enterprise_manager_base_platform 13.2

oracle/enterprise_manager_base_platform 13.3

oracle/hospitality_guest_access 4.2.0

oracle/hospitality_guest_access 4.2.1

oracle/rest_data_services 11.2.0.4

oracle/rest_data_services 12.1.0.2

oracle/rest_data_services 12.2.0.1

... and 6 more

Published Jun 16, 2017

Tracked Since Feb 18, 2026