Jetty

CVE-2007-6203

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.0.0beta8, 6.0.0beta9, 6.0.0beta10, 6.0.0beta11, 6.0.0beta12, 6.0.0beta14, 6.0.0beta15, 6.0.0beta16, 6.0.0beta17, 6.0.0RC0, 6.0.0rc1, 6.0.0rc2, 6.0.0rc3, 6.0.0rc4, 6.0.0, 6.0.1, 6.0.2, 6.1.0pre0, 6.1.0pre1, 6.1.0pre2, 6.1.0pre3, 6.1.0rc0, 6.1.0rc1, 6.1.0rc2, 6.1.0rc3, 6.1.0, 6.1.1rc0, 6.1.1rc1, 6.1.1, 6.1.2rc0, 6.1.2rc1, 6.1.2rc2, 6.1.2rc3, 6.1.2rc4, 6.1.2rc5, 6.1.2, 6.1.3, 6.1.4rc0, 6.1.4rc1, 6.1.4, 6.1.5rc0, 6.1.5, 6.1.6rc0, 6.1.6rc1, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 7.0.0pre0, 7.0.0pre1, 7.0.0pre2, 7.0.0pre3, 7.0.0pre4, 7.0.0.pre5, 7.0.0.RC4, 7.0.0.RC5, 7.0.0.RC6, 7.0.0, 7.0.1, 6.1.10, 6.1.11, 6.1.12rc1, 6.1.12.rc2, 6.1.12.rc3, 6.1.12.rc4, 6.1.12.rc5, 6.1.12, 6.1.14, 6.1.15.pre0, 6.1.15.rc2, 6.1.15.rc3, 6.1.15.rc4, 6.1.15.rc5, 6.1.15, 6.1.16, 6.1.17, 6.1.18, 6.1.19, 6.1.20, 6.1.21, 6.1.22, 6.1.23, 6.1.24, 6.1.25, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.2, 8.0.0.M0, 8.0.0.M1
  • Fix Version/s: None
  • Component/s: Servlet
  • Labels:
    None
  • Number of attachments :
    0

Description

A check for CVE-2007-6203 detected that the servlet API jar is also suffering from this issue and not sanitizing the METHOD in the error return.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203

I check of the servlet api source revealed that illegal cookie names are also not sanitized. This issue appears in the latest versions of the servlet API and is not strictly a jetty problem.

Jetty versions will be updated to use custom build servlet.jar without this cross site scripting vulnerability.

Activity

People

  • Assignee:
    Unassigned
    Reporter:
    Greg Wilkins
Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved: