What is CVE-2015-2080?

CVE-2015-2080 is a high-severity vulnerability in Eclipse Jetty, classified under Information Disclosure. CVSS score: 7.5/10. Published 2016-10-07.

How severe is CVE-2015-2080?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2015-2080 known to be exploited?

17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Information disclosure in Eclipse Jetty

CVE-2015-2080

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.

Vulnerability class: Information Disclosure

EPSS: 0.914 (99.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

Affected products

Eclipse Jetty — versions 9.2.3, 9.2.4, 9.2.5
Fedoraproject Fedora — versions 22
N/a — versions n/a

Weakness classification (CWE)

CWE-200 — Information Disclosure

Public proof-of-concept exploits

References

20150301 GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server (mailing-list, Exploit, x_refsource_FULLDISC, Third Party Advisory)
[jetty-announce] 20150224 Critical Security Release of Jetty 9.2.9.v20150224 (Vendor Advisory, mailing-list, x_refsource_MLIST)
[jetty-announce] 20150225 CVE-2015-2080 : JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty (Vendor Advisory, mailing-list, x_refsource_MLIST)
cve@mitre.org (x_refsource_CONFIRM)
72768 (vdb-entry, x_refsource_BID, Broken Link)
cve@mitre.org (x_refsource_CONFIRM, Exploit, Vendor Advisory)
1031800 (Third Party Advisory, vdb-entry, x_refsource_SECTRACK)
cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC)
cve@mitre.org (Exploit, Third Party Advisory, x_refsource_MISC)
20150225 GDS Labs Alert [CVE-2015-2080] - JetLeak Vulnerability: Remote Leakage Of Shared Buffers In Jetty Web Server (mailing-list, x_refsource_BUGTRAQ)

Frequently asked questions

What is CVE-2015-2080?: CVE-2015-2080 is a high-severity vulnerability in Eclipse Jetty, classified under Information Disclosure. CVSS score: 7.5/10. Published 2016-10-07.
How severe is CVE-2015-2080?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2015-2080 known to be exploited?: 17 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.