pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
26379462a9
vuln-list-alt/oval/c9f2/ALT-PU-2021-2857/definitions.json
pepelyaevip 9d72b75f75 ALT Vulnerability
2024-12-12 21:07:30 +00:00

389 lines
20 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20212857",
"Version": "oval:org.altlinux.errata:def:20212857",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2021-2857: package `jetty` update to version 9.4.19-alt1_1.v20190610jpp8",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2021-2857",
"RefURL": "https://errata.altlinux.org/ALT-PU-2021-2857",
"Source": "ALTPU"
},
{
"RefID": "BDU:2019-04281",
"RefURL": "https://bdu.fstec.ru/vul/2019-04281",
"Source": "BDU"
},
{
"RefID": "BDU:2021-04177",
"RefURL": "https://bdu.fstec.ru/vul/2021-04177",
"Source": "BDU"
},
{
"RefID": "BDU:2022-02206",
"RefURL": "https://bdu.fstec.ru/vul/2022-02206",
"Source": "BDU"
},
{
"RefID": "BDU:2022-02668",
"RefURL": "https://bdu.fstec.ru/vul/2022-02668",
"Source": "BDU"
},
{
"RefID": "CVE-2017-7656",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7656",
"Source": "CVE"
},
{
"RefID": "CVE-2017-7657",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7657",
"Source": "CVE"
},
{
"RefID": "CVE-2017-7658",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-7658",
"Source": "CVE"
},
{
"RefID": "CVE-2018-12536",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2018-12536",
"Source": "CVE"
}
],
"Description": "This update upgrades jetty to version 9.4.19-alt1_1.v20190610jpp8. \nSecurity Fix(es):\n\n * BDU:2019-04281: Уязвимость компонента DefaultServlet HTTP-сервера Jetty, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2021-04177: Уязвимость контейнера сервлетов Eclipse Jetty, связанная с непоследовательной интерпретацией http-запросов, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации\n\n * BDU:2022-02206: Уязвимость реализации протокола Hypertext Transfer Protocol (HTTP/1.1) контейнера сервлетов Eclipse Jetty, позволяющая нарушителю отправить скрытый HTTP-запрос (атака типа HTTP Request Smuggling)\n\n * BDU:2022-02668: Уязвимость контейнера сервлетов Jetty, существующая из-за неправильной обработки запросов HTTP/0.9, позволяющая нарушителю оказать воздействие на конфиденциальность и целостность защищаемой информации\n\n * CVE-2017-7656: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.\n\n * CVE-2017-7657: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.\n\n * CVE-2017-7658: In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.\n\n * CVE-2018-12536: In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2021-09-23"
},
"Updated": {
"Date": "2021-09-23"
},
"BDUs": [
{
"ID": "BDU:2019-04281",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"CWE": "CWE-200, CWE-209",
"Href": "https://bdu.fstec.ru/vul/2019-04281",
"Impact": "Low",
"Public": "20180607"
},
{
"ID": "BDU:2021-04177",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-190, CWE-444",
"Href": "https://bdu.fstec.ru/vul/2021-04177",
"Impact": "Critical",
"Public": "20180626"
},
{
"ID": "BDU:2022-02206",
"CVSS": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2022-02206",
"Impact": "Critical",
"Public": "20180607"
},
{
"ID": "BDU:2022-02668",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS3": "AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"CWE": "CWE-444",
"Href": "https://bdu.fstec.ru/vul/2022-02668",
"Impact": "High",
"Public": "20180626"
}
],
"CVEs": [
{
"ID": "CVE-2017-7656",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7656",
"Impact": "High",
"Public": "20180626"
},
{
"ID": "CVE-2017-7657",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-190",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7657",
"Impact": "Critical",
"Public": "20180626"
},
{
"ID": "CVE-2017-7658",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "CWE-444",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-7658",
"Impact": "Critical",
"Public": "20180626"
},
{
"ID": "CVE-2018-12536",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2018-12536",
"Impact": "Low",
"Public": "20180627"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20212857001",
"Comment": "jetty is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857002",
"Comment": "jetty-alpn-client is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857003",
"Comment": "jetty-alpn-server is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857004",
"Comment": "jetty-annotations is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857005",
"Comment": "jetty-ant is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857006",
"Comment": "jetty-cdi is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857007",
"Comment": "jetty-client is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857008",
"Comment": "jetty-continuation is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857009",
"Comment": "jetty-deploy is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857010",
"Comment": "jetty-fcgi-client is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857011",
"Comment": "jetty-fcgi-server is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857012",
"Comment": "jetty-http is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857013",
"Comment": "jetty-http-spi is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857014",
"Comment": "jetty-http2-client is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857015",
"Comment": "jetty-http2-common is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857016",
"Comment": "jetty-http2-hpack is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857017",
"Comment": "jetty-http2-http-client-transport is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857018",
"Comment": "jetty-http2-server is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857019",
"Comment": "jetty-io is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857020",
"Comment": "jetty-jaas is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857021",
"Comment": "jetty-jaspi is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857022",
"Comment": "jetty-javadoc is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857023",
"Comment": "jetty-javax-websocket-client-impl is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857024",
"Comment": "jetty-javax-websocket-server-impl is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857025",
"Comment": "jetty-jmx is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857026",
"Comment": "jetty-jndi is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857027",
"Comment": "jetty-jsp is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857028",
"Comment": "jetty-jspc-maven-plugin is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857029",
"Comment": "jetty-jstl is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857030",
"Comment": "jetty-maven-plugin is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857031",
"Comment": "jetty-nosql is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857032",
"Comment": "jetty-plus is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857033",
"Comment": "jetty-project is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857034",
"Comment": "jetty-proxy is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857035",
"Comment": "jetty-quickstart is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857036",
"Comment": "jetty-rewrite is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857037",
"Comment": "jetty-security is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857038",
"Comment": "jetty-server is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857039",
"Comment": "jetty-servlet is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857040",
"Comment": "jetty-servlets is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857041",
"Comment": "jetty-spring is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857042",
"Comment": "jetty-start is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857043",
"Comment": "jetty-unixsocket is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857044",
"Comment": "jetty-util is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857045",
"Comment": "jetty-util-ajax is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857046",
"Comment": "jetty-webapp is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857047",
"Comment": "jetty-websocket-api is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857048",
"Comment": "jetty-websocket-client is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857049",
"Comment": "jetty-websocket-common is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857050",
"Comment": "jetty-websocket-server is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857051",
"Comment": "jetty-websocket-servlet is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20212857052",
"Comment": "jetty-xml is earlier than 0:9.4.19-alt1_1.v20190610jpp8"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink