Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerability Found in Jetty Web Server

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

Researchers have identified a critical information leakage vulnerability in Jetty, the Web server and Java servlet container maintained by the Eclipse Foundation.

The flaw (CVE-2015-2080) was discovered earlier this month by New York-based security services company Gotham Digital Science (GDS). The vulnerability, dubbed by researchers JetLeak, can be exploited by a remote, unauthenticated attacker to read arbitrary data from requests previously submitted by users to the server, GDS reported.

An attacker can obtain various pieces of sensitive data transmitted through headers and POST requests, including cookies, authentication tokens, anti-CSRF tokens, usernames, passwords, and authentication tokens, researchers said.

“The root cause of this vulnerability can be traced to exception handling code that returns approximately 16 bytes of data from a shared buffer when illegal characters are submitted in header values to the server,” Stephen Komal, a security researcher at GDS, explained in a blog post.

“An attacker can exploit this behavior by submitting carefully crafted requests containing variable length strings of illegal characters to trigger the exception and offset into the shared buffer. Since the shared buffer contains user submitted data from previous requests, the Jetty server will return specific data chunks (approximately 16-bytes in length) from the user’s request depending on the attacker’s payload offset,” Komal added.

The bug, described by the Jetty development team as a “HttpParser error buffer bleed vulnerability,” affects Jetty versions 9.2.3 through 9.2.8, and Jetty 9.3.0, which is currently in beta.

The vulnerability was reported to Eclipse on February 19. On February 23, developers determined that the bug was caused by a “bad implementation of a feature request for more details on HttpParser parsing errors.” The flaw was addressed on Tuesday with the release of Jetty 9.2.9.

“We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base,” Eclipse explained in its advisory.

The Jetty development team has also promised to fix the vulnerability in version 9.3.0. GDS noted that patched versions of the affected files will also be made available for Jetty 9.2.3 through 9.2.8.

It’s important to note that Jetty is bundled with several third-party products, including embedded systems. The list of solutions powered by Jetty includes Hadoop, Cisco’s Subscriber Edge Services Manager (SESM), IBM Tivoli NetView, VMware, Vodafone 360, HP OpenView Interconnect Tools, and WikiLeaks.

“Organizations should contact any vendors that may be running a Jetty web server in order to determine if their products are vulnerable and when any patches to resolve this vulnerability will be made available,” Komal said. “Additionally, we have encountered cases where development teams use Jetty as a lightweight replacement for app servers such as Tomcat. Organizations should consider notifying their development teams about the vulnerability and require teams to upgrade any vulnerable versions of Jetty.”

GDS has developed a script that allows users to determine if their Jetty HTTP servers are vulnerable to JetLeak attacks.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.