{"vuid":"VU#212984","idnumber":"212984","name":"Mortbay Jetty vulnerable to HTTP response splitting","keywords":["Mortbay","Jetty","CRLF","xss","cross-site scripting","HTTP headers","http response splitting"],"overview":"Mortbay Jetty is vulnerable to HTTP response splitting, which may allow a remote, unauthenticated attacker to inject various HTTP headers","clean_desc":"Mortbay Jetty is a web server that is written in Java. Jetty fails to properly handle HTTP headers with CRLF sequences, which can allow an attacker to inject certain HTTP headers into server responses.","impact":"A remote, unauthenticated attacker may be able to perform a cross-site scripting attack, set cookies, or poison a proxy cache.","resolution":"Apply an update\nThis issue is addressed in Mortbay Jetty 6.1.6. Details are available in the release notes.","workarounds":"","sysaffected":"","thanks":"Thanks to  Tomasz Kuczynski for reporting this vulnerability.","author":"This document was written by Will Dormann.","public":["http://svn.codehaus.org/jetty/jetty/trunk/VERSION.txt","http://dist.codehaus.org/jetty/jetty-6.1.6/"],"cveids":["CVE-2007-5615"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2007-06-29T12:11:12Z","publicdate":"2007-11-03T00:00:00Z","datefirstpublished":"2007-12-04T04:21:11Z","dateupdated":"2007-12-04T04:21:28Z","revision":3,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"4","cam_impact":"14","cam_easeofexploitation":"14","cam_attackeraccessrequired":"20","cam_scorecurrent":"4.41","cam_scorecurrentwidelyknown":"7.35","cam_scorecurrentwidelyknownexploited":"13.23","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.41,"vulnote":null}