Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Found in Jetty Web Server

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

The flaw (CVE-2015-2080) was discovered earlier this month by New York-based security services company Gotham Digital Science (GDS). The vulnerability, dubbed by researchers JetLeak, can be exploited by a remote, unauthenticated attacker to read arbitrary data from requests previously submitted by users to the server, GDS reported.

An attacker can obtain various pieces of sensitive data transmitted through headers and POST requests, including cookies, authentication tokens, anti-CSRF tokens, usernames, passwords, and authentication tokens, researchers said.

“The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server,” Stephen Komal, a security researcher at GDS, explained in a blog post.

“An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user’s request depending on the attacker’s payload offset,” Komal added.

The bug, described by the Jetty development team as a “HttpParser error buffer bleed vulnerability,” affects Jetty versions 9.2.3 through 9.2.8, and Jetty 9.3.0, which is currently in beta.

The vulnerability was reported to Eclipse on February 19. On February 23, developers determined that the bug was caused by a “bad implementation of a feature request for more details on HttpParser parsing errors.” The flaw was addressed on Tuesday with the release of Jetty 9.2.9.

“We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base,” Eclipse explained in its advisory.

The Jetty development team has also promised to fix the vulnerability in version 9.3.0. GDS noted that patched versions of the affected files will also be made available for Jetty 9.2.3 through 9.2.8.

It’s important to note that Jetty is bundled with several third-party products, including embedded systems. The list of solutions powered by Jetty includes Hadoop, Cisco’s Subscriber Edge Services Manager (SESM), IBM Tivoli NetView, VMware, Vodafone 360, HP OpenView Interconnect Tools, and WikiLeaks.

“Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available,” Komal said. “Additionally, we have encountered cases where development teams use Jetty as a lightweight replacement for app servers such as Tomcat. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.”

GDS has developed a script that allows users to determine if their Jetty HTTP servers are vulnerable to JetLeak attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.