Bug 428016 (CVE-2007-6672)

Summary: CVE-2007-6672 Jetty directory traversal
Product: [Other] Security Response Reporter: Red Hat Product Security <security-response-team>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jjohnstn
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6672
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 23:45:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 428017, 428018    
Bug Blocks:    

Description Lubomir Kundrak 2008-01-08 18:02:08 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6672 to the following vulnerability:

Directory traversal vulnerability in Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read arbitrary files via directory traversal sequences in the URI, as demonstrated by files in WEB-INF, related to improper handling of consecutive '/' (slash) characters.

References:

http://jira.codehaus.org/browse/JETTY-386#action_117699
http://jira.codehaus.org/browse/JETTY/fixforversion/13950
http://www.kb.cert.org/vuls/id/553235
Comment 2 Jeff Johnston 2008-04-08 23:31:16 UTC 
The version of jetty in fedora is jetty5, not jetty6.  From the information
provided, it is only 6.1.5 and 6.1.6 and thus does not apply.  This bug should
be closed.  I will do so if I do not hear a reply as to why it should not be closed.
Comment 4 Red Hat Bugzilla 2009-10-23 19:04:11 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 5 Vincent Danen 2010-12-22 23:45:21 UTC 
Current Fedora has 6.1.21 or newer which is not affected by this flaw.