Jetty: directory traversal, cross-site scripting [LWN.net]

Package(s):

jetty

CVE #(s):

CVE-2009-1523 CVE-2009-1524

Created:

May 26, 2009

Updated:

November 24, 2009

Description:

From the CVE entries:

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote attackers to access arbitrary files via directory traversal sequences in the URI. (CVE-2009-1523)

Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or HTML via a directory listing request containing a ; (semicolon) character.

Alerts:

Mandriva	MDVSA-2009:291	jetty5	2009-10-29
SuSE	SUSE-SR:2009:019	cups, jetty5, libqt4/dbus-1-qt, opera, puretls/jessie, kdegraphics3-pdf, qemu	2009-11-24
Fedora	FEDORA-2009-5509	jetty	2009-05-26
Fedora	FEDORA-2009-5513	jetty	2009-05-26
Fedora	FEDORA-2009-5500	jetty	2009-05-26