CVE-2011-4461
Published: 29 December 2011
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Notes
Author | Note |
---|---|
mdeslaur | in main in lucid, maverick, natty only |
Priority
Status
Package | Release | Status |
---|---|---|
jetty Launchpad, Ubuntu, Debian |
hardy |
Not vulnerable
(end of life)
|
lucid |
Released
(6.1.22-1ubuntu1.1)
|
|
maverick |
Ignored
(end of life)
|
|
natty |
Released
(6.1.24-6ubuntu0.11.04.1)
|
|
oneiric |
Ignored
(end of life)
|
|
precise |
Released
(6.1.24-6ubuntu0.12.04.1)
|
|
quantal |
Ignored
(end of life)
|
|
raring |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Not vulnerable
(6.1.26-1ubuntu1)
|
|
upstream |
Needs triage
|
|
Patches: upstream: https://github.com/eclipse/jetty.project/commit/085c79d7d6cfbccc02821ffdb64968593df3e0bf |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.3 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | Low |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
References
- http://www.kb.cert.org/vuls/id/903934
- http://www.ocert.org/advisories/ocert-2011-003.html
- http://www.nruns.com/_downloads/advisory28122011.pdf
- http://dev.eclipse.org/mhonarc/lists/jetty-users/msg01818.html
- https://ubuntu.com/security/notices/USN-1429-1
- https://www.cve.org/CVERecord?id=CVE-2011-4461
- NVD
- Launchpad
- Debian