CVE-2015-2080 — Jetty vulnerable to exposure of sensitive information to unauthenticated remote

Description

The exception handling code in Eclipse Jetty prior to 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

How to fix CVE-2015-2080

To remediate CVE-2015-2080, upgrade the affected package to a fixed version below.

Maven/org.eclipse.jetty:jetty-server—upgrade to 9.2.9.v20150224 or later

Is CVE-2015-2080 being exploited?

Likely — EPSS is 91.4%, placing CVE-2015-2080 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 9.2.9.v20150224

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (13)

ADVISORYgithub.com/advisories/GHSA-ghgj-3xqr-6jfm
ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-2080
WEBdev.eclipse.org/mhonarc/lists/jetty-announce/msg00074.html
WEBdev.eclipse.org/mhonarc/lists/jetty-announce/msg00075.html