CVE-2017-9735 (High) detected in multiple libraries - autoclosed #403

mend-for-github.ghproxy.top · 2021-11-03T13:12:16Z

CVE-2017-9735 - High Severity Vulnerability

Vulnerable Libraries - jetty-util-8.0.4.v20111024.jar, jetty-util-9.4.1.v20170120.jar, jetty-util-8.1.22.v20160922.jar, jetty-util-9.2.15.v20160210.jar, jetty-util-9.3.2.v20150730.jar, jetty-util-9.0.0.v20130308.jar, jetty-util-9.1.0.v20131115.jar, jetty-util-8.2.0.v20160908.jar, jetty-util-9.4.5.v20170502.jar, jetty-util-9.2.12.v20150709.jar, jetty-util-7.6.0.v20120127.jar, jetty-util-7.0.0.v20091005.jar, jetty-util-9.0.7.v20131107.jar, jetty-util-9.3.6.v20151106.jar, jetty-util-7.6.21.v20160908.jar, jetty-util-9.2.9.v20150224.jar

jetty-util-8.0.4.v20111024.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/jetty-7.0/jetty-7.0.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/8.0.4.v20111024/33f60c71941d90302751f72a12bcf1d299c17c75/jetty-util-8.0.4.v20111024.jar

Dependency Hierarchy:

jetty-server-8.0.4.v20111024.jar (Root Library)
- jetty-http-8.0.4.v20111024.jar
  - jetty-io-8.0.4.v20111024.jar
    - ❌ jetty-util-8.0.4.v20111024.jar (Vulnerable Library)

jetty-util-9.4.1.v20170120.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/benchmark-integration/jetty-perftest/jetty-perftest.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.1.v20170120/810c4e4275e399feaf6e8bc51aa72645bdc06205/jetty-util-9.4.1.v20170120.jar

Dependency Hierarchy:

jetty-server-9.4.1.v20170120.jar (Root Library)
- jetty-http-9.4.1.v20170120.jar
  - ❌ jetty-util-9.4.1.v20170120.jar (Vulnerable Library)

jetty-util-8.1.22.v20160922.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/appsec/weblog/weblog-spring-app/weblog-spring-app.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/8.1.22.v20160922/5ae59f43ce3a356c98d6a3b7b2b8ef46f227ff1d/jetty-util-8.1.22.v20160922.jar

Dependency Hierarchy:

spring-boot-starter-jetty-1.5.9.RELEASE.jar (Root Library)
- jetty-webapp-8.1.22.v20160922.jar
  - jetty-xml-8.1.22.v20160922.jar
    - ❌ jetty-util-8.1.22.v20160922.jar (Vulnerable Library)

jetty-util-9.2.15.v20160210.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-smoke-tests/play-2.5/play-2.5.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.2.15.v20160210/ccd245541cc63311bdcfe551525bd7d82ea5e92c/jetty-util-9.2.15.v20160210.jar

Dependency Hierarchy:

play-test_2.11-2.5.19.jar (Root Library)
- htmlunit-2.20.jar
  - websocket-client-9.2.15.v20160210.jar
    - ❌ jetty-util-9.2.15.v20160210.jar (Vulnerable Library)

jetty-util-9.3.2.v20150730.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/sparkjava-2.3/sparkjava-2.3.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.2.v20150730/96eab74d8886ee9d51b6a3eeab9744807e842169/jetty-util-9.3.2.v20150730.jar

Dependency Hierarchy:

spark-core-2.3.jar (Root Library)
- jetty-webapp-9.3.2.v20150730.jar
  - jetty-xml-9.3.2.v20150730.jar
    - ❌ jetty-util-9.3.2.v20150730.jar (Vulnerable Library)

jetty-util-9.0.0.v20130308.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/jetty-9/jetty-9.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.0.0.v20130308/19859238118e33ad1be4c0b629fe69c0f73853f4/jetty-util-9.0.0.v20130308.jar

Dependency Hierarchy:

jetty-server-9.0.0.v20130308.jar (Root Library)
- jetty-io-9.0.0.v20130308.jar
  - ❌ jetty-util-9.0.0.v20130308.jar (Vulnerable Library)

jetty-util-9.1.0.v20131115.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/jetty-client-9.1/jetty-client-9.1.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.1.0.v20131115/440fc44218366a7b58739aef4402b4927e135b9c/jetty-util-9.1.0.v20131115.jar,/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.1.0.v20131115/440fc44218366a7b58739aef4402b4927e135b9c/jetty-util-9.1.0.v20131115.jar

Dependency Hierarchy:

❌ jetty-util-9.1.0.v20131115.jar (Vulnerable Library)

jetty-util-8.2.0.v20160908.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/jetty-7.6/jetty-7.6.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/8.2.0.v20160908/4ee77aaee05035ca4255d21187ff50b45ef81f55/jetty-util-8.2.0.v20160908.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/8.2.0.v20160908/4ee77aaee05035ca4255d21187ff50b45ef81f55/jetty-util-8.2.0.v20160908.jar

Dependency Hierarchy:

jetty-server-8.2.0.v20160908.jar (Root Library)
- jetty-http-8.2.0.v20160908.jar
  - jetty-io-8.2.0.v20160908.jar
    - ❌ jetty-util-8.2.0.v20160908.jar (Vulnerable Library)

jetty-util-9.4.5.v20170502.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-smoke-tests/play-2.6/play-2.6.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.5.v20170502/5fd36dfcf39110b809bd9b20cec62706ab694711/jetty-util-9.4.5.v20170502.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.4.5.v20170502/5fd36dfcf39110b809bd9b20cec62706ab694711/jetty-util-9.4.5.v20170502.jar

Dependency Hierarchy:

play-test_2.12-2.6.25.jar (Root Library)
- htmlunit-driver-2.27.jar
  - htmlunit-2.27.jar
    - websocket-client-9.4.5.v20170502.jar
      - ❌ jetty-util-9.4.5.v20170502.jar (Vulnerable Library)

jetty-util-9.2.12.v20150709.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.2.12.v20150709/d99d38adfdb5ec677643f04fa862554b0bb8b42e/jetty-util-9.2.12.v20150709.jar

Dependency Hierarchy:

play-test_2.11-2.4.11.jar (Root Library)
- fluentlenium-core-0.10.9.jar
  - selenium-java-2.48.2.jar
    - selenium-htmlunit-driver-2.48.2.jar
      - htmlunit-2.18.jar
        
        websocket-client-9.2.12.v20150709.jar
        
        ❌ jetty-util-9.2.12.v20150709.jar (Vulnerable Library)

jetty-util-7.6.0.v20120127.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/jetty-7.6/jetty-7.6.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/7.6.0.v20120127/2c2bb1f28510723b955a48b40ba7f2aac4de22a4/jetty-util-7.6.0.v20120127.jar

Dependency Hierarchy:

jetty-server-7.6.0.v20120127.jar (Root Library)
- jetty-http-7.6.0.v20120127.jar
  - jetty-io-7.6.0.v20120127.jar
    - ❌ jetty-util-7.6.0.v20120127.jar (Vulnerable Library)

jetty-util-7.0.0.v20091005.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/servlet/request-2/request-2.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/7.0.0.v20091005/5b6c27791dc5ec98feca5a87aaecf38b5109d43a/jetty-util-7.0.0.v20091005.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/7.0.0.v20091005/5b6c27791dc5ec98feca5a87aaecf38b5109d43a/jetty-util-7.0.0.v20091005.jar

Dependency Hierarchy:

jetty-server-7.0.0.v20091005.jar (Root Library)
- jetty-http-7.0.0.v20091005.jar
  - jetty-io-7.0.0.v20091005.jar
    - ❌ jetty-util-7.0.0.v20091005.jar (Vulnerable Library)

jetty-util-9.0.7.v20131107.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/dropwizard/dropwizard-views/dropwizard-views.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.0.7.v20131107/93a606c83b047e8855eb3af68c335e60fa757367/jetty-util-9.0.7.v20131107.jar

Dependency Hierarchy:

dropwizard-views-0.7.0.jar (Root Library)
- dropwizard-core-0.7.0.jar
  - dropwizard-lifecycle-0.7.0.jar
    - jetty-server-9.0.7.v20131107.jar
      - jetty-io-9.0.7.v20131107.jar
        
        ❌ jetty-util-9.0.7.v20131107.jar (Vulnerable Library)

jetty-util-9.3.6.v20151106.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/sparkjava-2.3/sparkjava-2.3.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.6.v20151106/8721c8e670c11ea19005c567733453956b6243fc/jetty-util-9.3.6.v20151106.jar

Dependency Hierarchy:

spark-core-2.4.jar (Root Library)
- jetty-server-9.3.6.v20151106.jar
  - jetty-io-9.3.6.v20151106.jar
    - ❌ jetty-util-9.3.6.v20151106.jar (Vulnerable Library)

jetty-util-7.6.21.v20160908.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/servlet/request-2/request-2.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/7.6.21.v20160908/bd135a2685448834da4e0e993252620141d7528b/jetty-util-7.6.21.v20160908.jar

Dependency Hierarchy:

jetty-server-7.6.21.v20160908.jar (Root Library)
- jetty-http-7.6.21.v20160908.jar
  - jetty-io-7.6.21.v20160908.jar
    - ❌ jetty-util-7.6.21.v20160908.jar (Vulnerable Library)

jetty-util-9.2.9.v20150224.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /dd-java-agent/instrumentation/dropwizard/dropwizard.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.2.9.v20150224/b5fb774a02158e9f66fed949581159a8d0dfcbe1/jetty-util-9.2.9.v20150224.jar

Dependency Hierarchy:

dropwizard-testing-0.8.0.jar (Root Library)
- dropwizard-core-0.8.0.jar
  - dropwizard-logging-0.8.0.jar
    - ❌ jetty-util-9.2.9.v20150224.jar (Vulnerable Library)

Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079

Found in base branch: master

Vulnerability Details

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Publish Date: 2017-06-16

URL: CVE-2017-9735

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784

Release Date: 2017-06-16