CVE-2016-4800

high-risk

Published 2017-04-13

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

Do I need to act?

0.61% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (19)

Jetty

Affected Vendors

Eclipse

References (12)

Patch http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html

Mitigation http://www.ocert.org/advisories/ocert-2016-001.html

Third Party Advisory http://www.securityfocus.com/bid/90945

Third Party Advisory http://www.zerodayinitiative.com/advisories/ZDI-16-362

https://security.netapp.com/advisory/ntap-20190307-0006/

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html

Mitigation http://www.ocert.org/advisories/ocert-2016-001.html

Third Party Advisory http://www.securityfocus.com/bid/90945

Third Party Advisory http://www.zerodayinitiative.com/advisories/ZDI-16-362

https://security.netapp.com/advisory/ntap-20190307-0006/

https://www.oracle.com/security-alerts/cpuoct2020.html

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 19/34 · Moderate