Skip to main content

Observable Discrepancy


Severity High
Score 7.5/10


Jetty-util before 9.2.22, 9.3.x before 9.3.20 and 9.4.x before 9.4.6 is prone to a timing channel in util/security/, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

  • LOW
  • NONE
  • NONE
  • NONE
  • HIGH
  • NONE

CWE-203 - Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.


Advisory Timeline

  • Published