Vulnerability Details : CVE-2015-2080
Potential exploit
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
Products affected by CVE-2015-2080
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:m1:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.3.0:m0:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:eclipse:jetty:9.2.6:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-2080
92.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-2080
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2015-2080
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-2080
-
http://www.securityfocus.com/archive/1/534755/100/1600/threaded
SecurityFocus
-
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
[jetty-announce] Critical Security Release of Jetty 9.2.9.v20150224Vendor Advisory
-
https://github.com/eclipse/jetty.project/blob/jetty-9.2.x/advisories/2015-02-24-httpparser-error-buffer-bleed.md
jetty.project/2015-02-24-httpparser-error-buffer-bleed.md at jetty-9.2.x · eclipse/jetty.project · GitHubExploit;Vendor Advisory
-
https://security.netapp.com/advisory/ntap-20190307-0005/
CVE-2015-2080 Eclipse Jetty Vulnerability in NetApp Products | NetApp Product Security
-
http://packetstormsecurity.com/files/130567/Jetty-9.2.8-Shared-Buffer-Leakage.html
Jetty 9.2.8 Shared Buffer Leakage ≈ Packet StormExploit;Third Party Advisory
-
http://seclists.org/fulldisclosure/2015/Mar/12
Full Disclosure: GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web ServerExploit;Third Party Advisory
-
http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html
[jetty-announce] CVE-2015-2080 : JetLeak Vulnerability Remote Leakage ofVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151804.html
[SECURITY] Fedora 22 Update: jetty-9.2.9-1.fc22Third Party Advisory
-
http://www.securityfocus.com/bid/72768
Jetty CVE-2015-2080 Information Disclosure VulnerabilityBroken Link
-
http://www.securitytracker.com/id/1031800
Jetty HTTP Parsing Bug Lets Remote Users Obtain Sensitive Information From Previous User Requests - SecurityTrackerThird Party Advisory
-
https://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html
GDS - Blog - JetLeak Vulnerability: Remote Leakage of Shared Buffers in Jetty Web Server [CVE-2015-2080]Exploit;Third Party Advisory
Jump to