Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3579 to the following vulnerability: Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/. Core Security Technologies advisory CORE-2009-0922: http://www.coresecurity.com/content/jetty-persistent-xss Sample XSS: http://localhost:8088/cookie/?Name=a&Value=<script>alert('XSS;)</script>&Age=600 Note: Issue is not fixed in 6.1.21 as noted in CORE-2009-0922. This should be a proper upstream fix to be included in 6.1.22: http://fisheye.codehaus.org/changelog/jetty/?cs=5571 This sample servlet is not shipped with jetty 5.x packages, but in included in 6.x and demo applications are deployed by default.
This issue affects Fedora 12 (6.1.20) and rawhide (6.1.21) and should be corrected prior to the Fedora 12 release.
Upstream patch applied to Fedora 12 and rawhide.
Example applications are no longer included in jetty 6.x packages.