Mortbay Jetty Dump Servlet vulnerable to cross-site scripting

2007-12-0400:00:00

www.kb.cert.org

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

77.9%

JSON

Overview

The Mortbay Jetty Dump Servlet contains a cross-site scripting vulnerability.

Description

Mortbay Jetty is a web server that is written in Java. The Dump Servlet that is included with Jetty is vulnerable to cross-site scripting. Note that according to the vendor, the Dump Servlet is for testing purposes and is not intended to be included in a live web site.

Impact

A remote, unauthenticated attacker may be able to perform a cross-site scripting attack against a Jetty web server. More information about cross-site scripting can be found in CERT Advisory CA-2000-02.

Solution

Apply an update

This issue is addressed in Mortbay Jetty 6.1.6. Details are available in the release notes.

Remove the Dump Servlet

This issue can be mitigated by removing the Dump Servlet from the web server.

Vendor Information

237888

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Mort Bay __ Affected

Notified: October 26, 2007 Updated: December 04, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

This issue is addressed in Mortbay Jetty 6.1.6.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23237888 Feedback>).