CVE-2009-1523

2009-05-05 19:30:00 2012-10-23 05:06:05

Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows remote attackers to access arbitrary files via directory traversal sequences in the URI.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE

IBM OpenPages GRC Platform 6.0.1.4 IBM OpenPages GRC Platform 6.0.1.5 IBM Power 5 Model 9407-515 IBM Power 5 System Firmware SF240_201_201 IBM Power 5 Model 9406-550 IBM OpenPages GRC Platform 5.5.0.3 IBM Power 5 Model 9406-570 IBM OpenPages GRC Platform 5.5.2.5 IBM OpenPages GRC Platform 6.0.1.1 IBM OpenPages GRC Platform 6.0.1.2 IBM Power 5 System Firmware SF240_202_201 IBM OpenPages GRC Platform 6.0.1.3 IBM Netezza Performance Portal 2.0.0.1 IBM Rational ClearQuest 7.1.0.2 IBM Rational ClearQuest 7.1.1.5 IBM Power 5 System Firmware SF240_222_201 IBM Rational ClearQuest 7.1.2 IBM Rational AppScan 8.0.0.3 Enterprise IBM Rational ClearQuest 7.1.2.12 IBM Rational ClearCase 8.0.0.9 IBM Rational ClearQuest 2003-06-00 IBM Rational Clearquest 7.0.1.1-ifix01 IBM Rational Clearquest 7.0.1.1 IBM Rational ClearQuest 7.1.0.1 IBM Rational ClearCase 8.0.0.8 IBM Rational ClearQuest 7.1 IBM Rational ClearCase 8.0.0.7 IBM Rational ClearQuest 2003-06-12 IBM Rational ClearQuest 2007 IBM Rational ClearQuest IBM Rational ClearQuest 2003-06-13 IBM Rational Clearquest 2.1.1063 IBM Rational ClearQuest 2003-06-10 IBM Rational ClearQuest 2008 IBM Rational ClearQuest 2003-06-14 IBM Power 5 Model 9406-525 IBM Power 5 Model 9405-520 IBM Platform Symphony 6.1.1 IBM Power 5 Model 9406-520 IBM Platform Symphony Developer Edition 6.1.1 IBM Rational Clearquest 2.1.1112 IBM Net.Commerce Start IBM Rational 5.3 IBM Rational ClearQuest 2002-05-20 IBM QRadar Vulnerability Manager 7.2.0 IBM Net.Data IBM Rational Clearcase 2.1.1063 IBM Rational ClearQuest 2002-05-00 IBM QRadar Security Information and Event Manager (SIEM) 7.2.4 IBM Net.Data 7.0 IBM Rational 4.7 IBM Net.Data 7.2 IBM Rational 5.1 IBM Rational ClearQuest 2003-06-15 IBM Rational ClearCase 7.1.1.9 IBM Rational Clearcase Lt 2.1.1063 IBM Rational ClearCase 7.1.1.5 IBM Rational ClearCase 8.0.1.2 IBM Rational ClearCase 7.1.1.4 IBM Rational ClearCase 7.1.1.6 IBM Rational Clearcase Lt 7.0.1.1 IBM QRadar Vulnerability Manager 7.2.2 IBM QRadar Vulnerability Manager 7.2.1 IBM Netezza 6.0.5 IBM Netezza 6.0.8 IBM Netezza 7.0 IBM Netezza Performance Portal 2.0.0.0 IBM Rational ClearCase 7.1.1.3 IBM Rational ClearCase 8.0.0.6 IBM Rational ClearCase 7.1.1.7 IBM Rational ClearCase 7.1.1.8 IBM Rational ClearCase 8.0.1.1 IBM Rational ClearQuest 7.1.1.4 IBM Rational ClearQuest 7.0.1 IBM Power 5 Model 9116-561 IBM Power 5 Model 9117-570 IBM Power 5 System Firmware SF240_284_201 IBM Rational ClearCase 7.1.2.6 IBM Power 5 System Firmware SF240_298_201 IBM Rational ClearCase 7.1.2.5 IBM Rational ClearCase 7.1.2.9 IBM Rational ClearCase 7.1.2.7 IBM Power 5 System Firmware SF240_233_201 IBM Power 5 System Firmware SF240_258_201 IBM Power 5 System Firmware SF240_259_201 IBM Rational ClearCase 8.0.0.5 IBM Power 5 System Firmware SF240_261_201 IBM Net.Commerce 2.0 IBM Navio NC Browser IBM Net.Commerce IBM Rational ClearQuest 7.1.2.3 IBM Platform Symphony 6.1 IBM Rational ClearCase 8.0.0.2 IBM Rational ClearQuest 7.1.2.2 IBM OS_400 V4R3 IBM Platform Symphony Developer Edition 5.2 IBM Rational ClearQuest 7.0.0.1 IBM OS_400 V4R2M0 IBM Platform Symphony 6.1.0.1 IBM Rational ClearQuest 7.0.0.0 IBM OS_400 V4R2 IBM Platform Symphony Developer Edition 6.1.0 IBM OS_400 5.2 IBM Parallel Environment 3.2 IBM Monitoring Server (ms) and Shared Libraries (ax) 6.2.0 IBM OS_400 4.4 IBM Parallel Environment IBM Platform Symphony 5.2 IBM Rational ClearCase 8.0.0.4 IBM Parallel Environment 4.1 IBM Rational ClearCase 8.0.0.3 IBM Monitoring Server (ms) and Shared Libraries (ax) 6.2.3 IBM Monitoring Server (ms) and Shared Libraries (ax) 6.3.0 IBM Monitoring Server (ms) and Shared Libraries (ax) 6.2.1 IBM Monitoring Server (ms) and Shared Libraries (ax) 6.2.2 IBM Rational AppScan 5.6.0 Enterprise IBM Rational AppScan 5.5.0.2 Enterprise IBM Rational Automation Framework 3.0.0.3 IBM Rational Automation Framework 3.0.0.1 IBM Rational AppScan Source 8.0.0.0 IBM Rational AppScan 8.5.0.0 Enterprise IBM Power 5 System Firmware SF240_338_201 IBM Power 5 System Firmware SF240_332_201 IBM Rational AppScan 8.5.0 Enterprise IBM Rational AppScan 8.0.1.1 Enterprise IBM Rational AppScan 8.0.1 Enterprise IBM Rational ClearCase 8.0.1 IBM Rational AppScan 8.0.0.2 Enterprise IBM Rational ClearQuest 7.0 IBM Rational AppScan 8.0.0.1 Enterprise IBM Rational ClearQuest 7.1.1.2 IBM Rational ClearQuest 7.1.1.3 IBM Rational ClearCase 8.0.0.1 IBM Power 5 System Firmware SF240_219_201 IBM Power 5 System Firmware SF240_320_201 IBM Power 5 System Firmware SF240_299_201 IBM QRadar Risk Manager 7.2.1 IBM Net.Commerce Hosting Server 3.1.2 IBM QRadar Risk Manager 7.2.0 IBM QRadar Risk Manager 7.1.0 IBM Mobile Foundation 6.0.0.2 IBM Rational ClearCase 7.1.2.3 IBM PureApplication System 1.1.0.4 IBM PureApplication System 1.1.0.2 IBM PureApplication System 1.1.0.1 IBM PureApplication System 1.1.0.0 IBM PureApplication System 1.0.0.3 IBM Net.Commerce Pro IBM Net.Commerce Hosting Server 3.1.1 IBM Mobile Foundation 6.0.0.1 IBM Net.Commerce Hosting Server 3.2 IBM Net.Commerce Hosting Server IBM Mobile Foundation 5.0.6.2 IBM Netezza Performance Portal 2.0.0.2 IBM Net.Commerce 3.1.1 IBM Netfinity Remote Control IBM Netezza Performance Portal 2.0.0.4 IBM Network Appliance Data ONTAP 7.0 IBM Mobile Foundation 6.0.0.0 IBM Network Appliance Data ONTAP IBM Net.Commerce 3.1.2 IBM Network Appliance Data ONTAP 7.1 IBM Optim Performance Manager 4.1.1.1 IBM Optim Performance Manager 5.1.0 IBM Operational Decision Manager 8.5 IBM Optim Performance Manager 4.1.1 IBM Optim Workload Replay 2.1.0.1 IBM PowerVC Standard Edition 1.2.1.0 IBM Optim Workload Replay 2.1 IBM OS_390 IBM Proventia Network IPS GX5108 IBM Optim Workload Replay 2.1.0.2 IBM Proventia Network IPS GX5008 IBM PowerVC Standard Edition 1.2.0.1 IBM OS_400 IBM PowerVC Express Edition 1.2.1.0 IBM PureApplication System 1.0.0.0 IBM Proventia Network IPS GX5108 1.3 IBM PureApplication System 1.0.0.1 IBM Mobile Foundation 5.0.0.3 IBM Mobile Foundation 5.0.0.2 IBM Mobile Foundation 5.0.5.1 IBM Mobile Foundation 5.0.5.0 IBM Mobile Foundation 5.0.6.1 IBM Mobile Foundation 5.0.6.0 IBM OpenPages GRC Platform 5.5.2.2 IBM OpenPages GRC Platform 5.5.2.1 IBM OpenPages GRC Platform 5.5.0.5 IBM PowerVC Standard Edition 1.2.0.2 IBM OpenPages GRC Platform 5.5.0.4 IBM Rational ClearCase 7.1.0.2 IBM PowerVC Express Edition 1.2.0.3 IBM OpenPages GRC Platform 5.5.2.4 IBM Rational ClearCase 7.1.1 IBM OpenPages GRC Platform 5.5.2.3 IBM PowerVC Express Edition 1.2.0.2 IBM Rational ClearCase 7.1.2.15 IBM Rational ClearCase 7.1.2.10 IBM Power 5 System Firmware SF240_358_201 IBM OpenPages GRC Platform 5.5.2.0 IBM Rational ClearCase 7.1.2.11 IBM Power 5 System Firmware SF240_371 IBM OpenPages GRC Platform 5.5.1.0 IBM Rational ClearCase 7.1.2 IBM Rational ClearCase 7.1.1.1 IBM Rational ClearCase 7.1.2.1 IBM OS_400 V4R4 IBM Rational ClearCase 7.1.2.12 IBM Rational ClearCase 7.1.1.2 IBM QRadar Security Information and Event Manager (SIEM) 7.2.1 IBM PureApplication System 2.0.0.0 IBM QRadar Security Information and Event Manager (SIEM) 7.0.1 IBM QRadar Security Information and Event Manager (SIEM) 7.1.0 IBM Rational ClearQuest 7.1.2.6 (Fix Pack 6) IBM Rational ClearCase 7.1.2.16 IBM PureApplication System 1.0.0.4 IBM Rational ClearCase 7.1.2.2 IBM PureApplication System 1.1.0.3 IBM Net.Commerce 3.1 IBM Operational Decision Manager 8.0 IBM QuickFile 1.0.0.0 IBM Network Station Manager IBM Notes Traveler for Android 9.0.1.2 IBM Network Appliance Data ONTAP 7.2RC2 IBM Net.Commerce 3.0 IBM Network Appliance Data ONTAP 7.2RC3 IBM Network Appliance Data ONTAP 7.1.0.1 IBM Network Appliance Data ONTAP 7.2RC1 IBM Rational AppScan Source 8.0.0.2 IBM QRadar Vulnerability Manager 7.2.3 IBM Rational AppScan Source 8.5.0.0 IBM QRadar Vulnerability Manager 7.2.4 IBM Rational AppScan Source 8.5.0.1 IBM Rational AppScan 8.0.0 Enterprise IBM Rational Automation Framework 3.0 IBM Rational Build Forge 7.1.0 IBM Rational Automation Framework 3.0.0.5 IBM Proventia Network IPS GX5008 1.5 IBM Rational ClearCase 7.1.0.1 IBM PowerVC Express Edition 1.2.1.1 IBM Rational ClearCase 7.1 IBM OS_2 FTP Server 4.3 PureEdge Solutions PureEdge Viewer 6.5.0 IBM OS_400 V5R2M0 IBM Power 5 Model 9118-575 IBM Power 5 Model 9123-710 IBM Power 5 Model 9111-520 IBM Power 5 Model 9113-550 IBM OS_2 FTP Server 4.0 IBM Power 5 Model 9133-55A IBM OS_400 V5R1 IBM OS_400 V4R5 IBM Power 5 Model 9124-720 IBM OS_400 V5R3M0 IBM Power 5 Model 9131-52A IBM OS_2 FTP Server IBM OS2 IBM Mobile Foundation 5.0.0.0 IBM OS_2 FTP Server 4.2 IBM PowerVC Express Edition 1.2.0.0 IBM Rational AppScan 5.5.0.1 Enterprise IBM QuickFile 1.1.0.0 IBM QuickFile 1.1.0.1 IBM QRadar Risk Manager 7.2.4 IBM Power 5 System Firmware SF240_418 IBM PowerVC Express Edition 1.2.0.1 IBM QRadar Risk Manager 7.2.3 IBM QRadar Security Information and Event Manager (SIEM) 7.0.0 IBM PureApplication System 1.0.0.2 IBM QRadar Risk Manager 7.2.2 IBM System z9 Business Class Model R07 (Machine Type 2096) IBM QRadar Security Information and Event Manager (SIEM) 7.2.2 IBM RACF IBM QRadar Security Information and Event Manager (SIEM) 7.2.3 IBM Rational ClearQuest 7.1.2.5 IBM PowerVC Standard Edition 1.2.1.1 IBM OpenPages GRC Platform 5.5.0.0 IBM Rational ClearCase 8.0 IBM OpenPages GRC Platform 5.5.0.1 IBM Rational Clearcase 7.0.1.1 IBM Notes Traveler Companion for Windows Phone 1.0 IBM Notes Traveler Companion for Windows Phone 1.1 IBM Rational ClearCase 8.0.0 IBM Rational ClearQuest 7.1.2.4 IBM Rational AppScan 5.6.0.3 Enterprise IBM Rational Automation Framework 3.0.0.2 IBM Rational Automation Framework 3.0.0.4 IBM Rational AppScan Source 8.0.0.1 IBM Rational AppScan 5.5.0 Enterprise IBM Rational ClearQuest 7.1.2.11 IBM PowerVC Standard Edition 1.2.0.0 IBM Power 5 System Firmware SF240_418_382 IBM MessageSight 1.0.0.1 IBM Rational ClearCase 7.1.2.4 IBM Rational ClearQuest 7.1.2.10 IBM Rational ClearQuest 7.1.2.1 IBM Rational ClearQuest 7.1.1.8 IBM Rational 5.2 IBM Rational ClearQuest 7.1.1.6 IBM Mobile Foundation 5.0.0.1 IBM Power 5 System Firmware SF240_382_382 IBM Monitoring Agent for UNIX logs 6.2.1 IBM Monitoring Agent for UNIX logs 6.2.0 IBM Monitoring Agent for UNIX logs 6.2.3 IBM Monitoring Agent for UNIX logs 6.2.2 IBM QRadar Security Information and Event Manager (SIEM) 7.2.0 IBM Power 5 System Firmware SF240_415_382 IBM Power 5 System Firmware SF240_403_382 IBM Mobile Foundation 6.1.0.1 IBM Mobile Foundation 6.1.0.0 IBM Power 5 Model 9110-51A IBM Power 5 Model 9110-510 IBM Power 5 Model 9111-285 IBM Power 5 Model 9115-505 IBM OpenPages GRC Platform 7.0.0.0 IBM Rational Agent Controller 7.0.3.3 IBM OpenPages GRC Platform 7.0.0.1 IBM Rational AppScan 8.5.0.1 Enterprise IBM OpenPages GRC Platform 6.2.1.0 IBM OpenPages GRC Platform 6.2.1.1 IBM OpenPages GRC Platform 7.0.0.2 IBM Operational Decision Manager 7.5 IBM MessageSight 1.1.0.0 IBM OpenPages GRC Platform 6.1.0.1.4 IBM OpenPages GRC Platform 6.2.0.0 IBM OpenPages GRC Platform 6.1.0.0 IBM OpenPages GRC Platform 6.1.0.1 IBM MessageSight 1.0.0.0 IBM Rational AppScan 5.2 Enterprise IBM Netezza Performance Portal 2.0.0.3 IBM Rational ClearQuest 7.1.1.9 IBM Rational ClearQuest 7.1.1.7

Mortbay - Jetty

Advisory	Patch	Confirmed	Link
			VU#402580
			FEDORA-2009-5513
			FEDORA-2009-5509
			FEDORA-2009-5500
			https://bugzilla.redhat.com/show_bug.cgi?id=499867
			ADV-2010-1792
			ADV-2009-1900
			1022563
			35675
			34800
			http://www.oracle.com/technetwork/topics/security/cpujul...
			http://www.kb.cert.org/vuls/id/CRDY-7RKQCY
			40553
			35776
			35225
			35143
			34975
			http://jira.codehaus.org/browse/JETTY-1004
			HPSBMA02553
			SSRT100184

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (ID 22)

Related CAPEC 7 Relative Path Traversal (CAPEC-ID 139) Directory Traversal (CAPEC-ID 213) File System Function Injection, Content Based (CAPEC-ID 23) Using Slashes and URL Encoding Combined to Bypass Validation Logic (CAPEC-ID 64) Manipulating Input to File System Calls (CAPEC-ID 76) Using Escaped Slashes in Alternate Encoding (CAPEC-ID 78) Using Slashes in Alternate Encoding (CAPEC-ID 79)