Base Score

HIGH7.5

CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

VectorNETWORK

Published Bycve@mitre.org

Published DateJun 16, 2017, 21:29

Affected Versions(3)

org.eclipse.jetty:jetty-server(Maven)

Introduced9.4.0

Fixed9.4.6.v20170531

LimitN/A

org.eclipse.jetty:jetty-server(Maven)

Introduced9.3.0

Fixed9.3.20.v20170531

LimitN/A

org.eclipse.jetty:jetty-server(Maven)

Introduced0

Fixed9.2.22.v20170606

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.eclipse.jetty:jetty-server(Maven)	9.4.0	9.4.6.v20170531	N/A
org.eclipse.jetty:jetty-server(Maven)	9.3.0	9.3.20.v20170531	N/A
org.eclipse.jetty:jetty-server(Maven)	0	9.2.22.v20170606	N/A

Weakness Type (CWE):CWE-203

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

HIGH7.5

Weakness Type (CWE):CWE-203

CVSS Metrics

Base Score

7.5

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE