{"title": "Jetty HTTP Server CGIServlet Double Dot Arbitrary File Access", "published": "2002-10-01T00:00:00", "references": [], "type": "osvdb", "enchantments": {"score": {"value": 6.3, "vector": "NONE", "modified": "2017-04-28T13:20:03", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1178"]}, {"type": "exploitdb", "idList": ["EDB-ID:21895"]}], "modified": "2017-04-28T13:20:03", "rev": 2}, "vulnersScore": 6.3}, "cvelist": ["CVE-2002-1178"], "viewCount": 4, "affectedSoftware": [], "id": "OSVDB:8948", "modified": "2002-10-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:8948", "edition": 1, "description": "## Solution Description\nUpgrade to version 4.1.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Vendor Specific Advisory URL](http://groups.yahoo.com/group/jetty-announce/message/45)\nOther Advisory URL: http://www.westpoint.ltd.uk/advisories/wp-02-0011.txt\nKeyword: Directory Traversal\nISS X-Force ID: 10246\n[CVE-2002-1178](https://vulners.com/cve/CVE-2002-1178)\nBugtraq ID: 5852\n", "bulletinFamily": "software", "reporter": "OSVDB", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/", "score": 5.0}, "lastseen": "2017-04-28T13:20:03"}

{"cve": [{"lastseen": "2020-12-09T19:19:27", "description": "Directory traversal vulnerability in the CGIServlet for Jetty HTTP server before 4.1.0 allows remote attackers to execute arbitrary commands via ..\\ (dot-dot backslash) sequences in an HTTP request to the cgi-bin directory.", "edition": 5, "cvss3": {}, "published": "2002-10-11T04:00:00", "title": "CVE-2002-1178", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1178"], "modified": "2016-10-18T02:24:00", "cpe": ["cpe:/a:jetty:jetty_http_server:4.1.0"], "id": "CVE-2002-1178", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1178", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:jetty:jetty_http_server:4.1.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-02-02T17:31:18", "description": "Jetty 3.1.6/3.1.7/4.1 Servlet Engine Arbitrary Command Execution Vulnerability. CVE-2002-1178. Webapps exploit for cgi platform", "published": "2002-10-02T00:00:00", "type": "exploitdb", "title": "Jetty 3.1.6/3.1.7/4.1 Servlet Engine Arbitrary Command Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2002-1178"], "modified": "2002-10-02T00:00:00", "id": "EDB-ID:21895", "href": "https://www.exploit-db.com/exploits/21895/", "sourceData": "source: http://www.securityfocus.com/bid/5852/info\r\n\r\nA flaw in the CGIServlet in Jetty allows an attacker to execute arbitrary commands on the server. Specifically, it is possible for an attacker to use directory traversal sequences and cause the CGIServlet to execute attacker-specified commands (such as running executables on the host).\r\n\r\nThis vulnerability affects Jetty versions for Microsoft Windows prior to 4.1.0.\r\n\r\nhttp://jetty-server:8080/cgi-bin/..\\..\\..\\..\\..\\..\\winnt/notepad.exe", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/21895/"}]}