Path to dependency file: /tmp/ws-scm/tensorio-android/javaexample/build.gradle
Path to vulnerable library: 20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-server-9.3.4.RC0.jar,/tmp/ws-ua_20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-server-9.3.4.RC0.jar
Path to dependency file: /tmp/ws-scm/tensorio-android/javaexample/build.gradle
Path to vulnerable library: 20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-util-9.3.4.RC0.jar,/tmp/ws-ua_20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-util-9.3.4.RC0.jar
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
CVE-2016-4800 - High Severity Vulnerability
Vulnerable Libraries - jetty-server-9.3.4.RC0.jar, jetty-util-9.3.4.RC0.jar
jetty-server-9.3.4.RC0.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/tensorio-android/javaexample/build.gradle
Path to vulnerable library: 20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-server-9.3.4.RC0.jar,/tmp/ws-ua_20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-server-9.3.4.RC0.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.4.RC0.jar** (Vulnerable Library)
jetty-util-9.3.4.RC0.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /tmp/ws-scm/tensorio-android/javaexample/build.gradle
Path to vulnerable library: 20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-util-9.3.4.RC0.jar,/tmp/ws-ua_20200803172627_FRGLVQ/downloadResource_KWMISC/20200803172805/jetty-util-9.3.4.RC0.jar
Dependency Hierarchy: - :x: **jetty-util-9.3.4.RC0.jar** (Vulnerable Library)
Found in HEAD commit: ab681bed6317590621823b965bf9b7e4da2638aa
Vulnerability Details
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
Publish Date: 2017-04-13
URL: CVE-2016-4800
CVSS 3 Score Details (9.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4800
Release Date: 2017-04-13
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0