GDS security company found a Jetty web server shared cache area remote disclosure vulnerability by the vulnerability A is not authenticated attacker can remotely obtain a before the legitimate user to the server to send the request. In short, the attacker may be from the presence of the vulnerability of the server remote access to the buffer zone of sensitive information, including http header information, cookies, authentication tokens, to prevent CSRF, the tokens, etc., as well as a user POST data, user name, password, etc.
Vulnerability the root cause is that when the header is inserted into the malicious character and submit to the server, from exception handling code to get the shared buffer is about 1 6 bytes of data. So an attacker can submit a carefully constructed request to get an exception and the offset into the shared buffer, shared buffer in memory that the user previously submitted the data, the Jetty server will be based on the user-submitted request to return about 1 6 bytes of the data block, it will contain sensitive information.
The affected version
The vulnerability affects Jetty 9. 2. 3~9.2.8 version, the GDS also found that the Jetty of the beta version 9. 3. x is also affected by the vulnerability.
GDS gives a vulnerability validation script download address
$ python jetleak_tester.py http://[ENTER HOSTNAME] 8 0
If there is a vulnerability will display
This version of Jetty is VULNERABLE to JetLeak!
If there is no vulnerability
This version of Jetty is NOT vulnerable to JetLeak.