Observable Discrepancy

CVE-2017-9735

High

7.5/10

Summary

Jetty-util before 9.2.22, 9.3.x before 9.3.20 and 9.4.x before 9.4.6 is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-203 - Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Issue

Advisory Timeline

Published Jun 16, 2017

Observable Discrepancy

CVE-2017-9735

Summary

CWE-203 - Observable Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS