For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. This can reveal sensitive information regarding the implementation of a web application. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. Published: J11:15:16 AM -0400įor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. This can result in an application used on a shared computer being left logged in. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. Published: J1:15:08 PM -0400įor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Published: Febru3:15:09 PM -0500įor Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. A local attacker positioned inside the Secure Zone could submit a specially crafted HTTP request to disrupt service. IBM Sterling Secure Proxy 6.0.3.0, 6.0.2.0, and 3.4.3.2 and IBM Sterling External Authentication Server are vulnerable a buffer overflow, due to the Jetty based GUI in the Secure Zone not properly validating the sizes of the form content and/or HTTP headers submitted. This can lead to failures in a Proxy scenario. In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources.
UPGRADE ZIMBRA DESKTOP FROM 7.2.2 CODE
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. Once pax is installed, amavisd automatically prefers it over cpio. Also, pax is in the prerequisites of Zimbra on Ubuntu however, pax is no longer part of a default Red Hat installation after RHEL 6 (or CentOS 6).
An attacker can upload arbitrary files through amavisd via a cpio loophole (extraction to /opt/zimbra/jetty/webapps/zimbra/public) that can lead to incorrect access to any other user accounts.
An issue was discovered in Zimbra Collaboration (ZCS) 8.8.15 and 9.0.
0 kommentar(er)
