漏洞标题
Jetty 接受 "+ prefixed value in Content-Length" 的值。
漏洞描述信息
Jetty接受在Content-Length中带有"+"前缀的值
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
漏洞类别
HTTP请求的解释不一致性(HTTP请求私运)
漏洞标题
Jetty accepts "+" prefixed value in Content-Length
漏洞描述信息
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
漏洞类别
长度参数不一致性处理不恰当
漏洞标题
Eclipse Jetty 安全漏洞
漏洞描述信息
Eclipse Jetty是Eclipse基金会的一个开源的、基于Java的Web服务器和Java Servlet容器。 Eclipse Jetty 存在安全漏洞,该漏洞源于拒绝请求并返回400响应。
CVSS信息
N/A
漏洞类别
其他