Open nimmis opened 2 years ago
Fix by applying pull #16 (https://github.com/ToBiDi0410/SpigotDash/pull/16)
Fix by applying pull #16 (#16)
Hi. Thanks for looking into this. Did you test these changes? As I wrote under the Pull Request, this might be a problem because Socket.IO Java is very strict about the Dependency Versions.
Fix by applying pull #16 (#16)
Hi. Thanks for looking into this. Did you test these changes? As I wrote under the Pull Request, this might be a problem because Socket.IO Java is very strict about the Dependency Versions.
I've tested just quickly the 9.4.46.v20220331 version and I'm also going to try the 9.4.29.v20200521 which is the first that fixes the security hole. I don't think just updating jetty-server will fix it. Tried the pull, but got version missmatch so. I updated all jetty-server, jetty-servlet, jetty-util and websocket-server to the same newer version.
I have only tested if they started up without throwing any exeptions, do you know what kind of socket problem it could be so I can test them.
If the Webinterface works, then there should be no problems. So, yeah at best just test that.
From the security scan
Eclipse Jetty: Transfer-Encoding Request Smuggling Vulnerability In Eclipse Jetty, transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Solution Upgrade to version 9.4.29.v20200521 or later of Eclipse Jetty.
Information This vulnerability was identified because (1) the detected version of Eclipse Jetty, 9.4.z-SNAPSHOT, is less than 9.4.11.v20180605 Paths: /
Reference Vendor - https://www.eclipse.org/jetty/ Solution - https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
IP-Address: xxx.xxx.xxx.xx Port/Protocol: 9696/TCP Service: http CVSS: High (7.5) CVE: CVE-2017-7657