Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.0.0beta8, 6.0.0beta9, 6.0.0beta10, 6.0.0beta11, 6.0.0beta12, 6.0.0beta14, 6.0.0beta15, 6.0.0beta16, 6.0.0beta17, 6.0.0RC0, 6.0.0rc1, 6.0.0rc2, 6.0.0rc3, 6.0.0rc4, 6.0.0, 6.0.1, 6.0.2, 6.1.0pre0, 6.1.0pre1, 6.1.0pre2, 6.1.0pre3, 6.1.0rc0, 6.1.0rc1, 6.1.0rc2, 6.1.0rc3, 6.1.0, 6.1.1rc0, 6.1.1rc1, 6.1.1, 6.1.2rc0, 6.1.2rc1, 6.1.2rc2, 6.1.2rc3, 6.1.2rc4, 6.1.2rc5, 6.1.2, 6.1.3, 6.1.4rc0, 6.1.4rc1, 6.1.4, 6.1.5rc0, 6.1.5, 6.1.6rc0, 6.1.6rc1, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 7.0.0pre0, 7.0.0pre1, 7.0.0pre2, 7.0.0pre3, 7.0.0pre4, 7.0.0.pre5, 7.0.0.RC4, 7.0.0.RC5, 7.0.0.RC6, 7.0.0, 7.0.1, 6.1.10, 6.1.11, 6.1.12rc1, 6.1.12.rc2, 6.1.12.rc3, 6.1.12.rc4, 6.1.12.rc5, 6.1.12, 6.1.14, 6.1.15.pre0, 6.1.15.rc2, 6.1.15.rc3, 6.1.15.rc4, 6.1.15.rc5, 6.1.15, 6.1.16, 6.1.17, 6.1.18, 6.1.19, 6.1.20, 6.1.21, 6.1.22, 6.1.23, 6.1.24, 6.1.25, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.2, 8.0.0.M0, 8.0.0.M1
    • Fix Version/s: None
    • Component/s: Servlet
    • Labels:
      None
    • Number of attachments :
      0

      Description

      A check for CVE-2007-6203 detected that the servlet API jar is also suffering from this issue and not sanitizing the METHOD in the error return.
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203

      I check of the servlet api source revealed that illegal cookie names are also not sanitized. This issue appears in the latest versions of the servlet API and is not strictly a jetty problem.

      Jetty versions will be updated to use custom build servlet.jar without this cross site scripting vulnerability.

        Activity

        Hide
        Greg Wilkins added a comment -

        I think this issue is a false positive, as the method is no being put in the message body, only in the reason string. But still it probably should be fixed.

        Show
        Greg Wilkins added a comment - I think this issue is a false positive, as the method is no being put in the message body, only in the reason string. But still it probably should be fixed.
        Hide
        Jesse McConnell added a comment -

        we can't just start using a servlet jar that we build on the eclipse side...there is far too much process involved in order to be able to effect that change before we release 7.3.0 this week

        If its simply a false positive then I think we ought to just document that and work through normal channels to get whoever is testing that to not making the false positive.

        imo, suffering a false positive is better then pushing out another bespoke servlet api jar into the world

        Show
        Jesse McConnell added a comment - we can't just start using a servlet jar that we build on the eclipse side...there is far too much process involved in order to be able to effect that change before we release 7.3.0 this week If its simply a false positive then I think we ought to just document that and work through normal channels to get whoever is testing that to not making the false positive. imo, suffering a false positive is better then pushing out another bespoke servlet api jar into the world
        Hide
        Greg Wilkins added a comment -

        we updated the servlet jars that we built and saw that other public servlet jars have also been updated.

        Show
        Greg Wilkins added a comment - we updated the servlet jars that we built and saw that other public servlet jars have also been updated.
        Greg Wilkins made changes -
        Field Original Value New Value
        Status Open [ 1 ] Resolved [ 5 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Unassigned
            Reporter:
            Greg Wilkins
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: