Bug 428016 (CVE-2007-6672) - CVE-2007-6672 Jetty directory traversal
Summary: CVE-2007-6672 Jetty directory traversal
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2007-6672
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard:
Depends On: 428017 428018
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-01-08 18:02 UTC by Red Hat Product Security
Modified: 2010-12-22 23:45 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2010-12-22 23:45:21 UTC
Embargoed:

Attachments (Terms of Use)

Description Lubomir Kundrak 2008-01-08 18:02:08 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-6672 to the following vulnerability:

Directory traversal vulnerability in Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read arbitrary files via directory traversal sequences in the URI, as demonstrated by files in WEB-INF, related to improper handling of consecutive '/' (slash) characters.

References:

http://jira.codehaus.org/browse/JETTY-386#action_117699
http://jira.codehaus.org/browse/JETTY/fixforversion/13950
http://www.kb.cert.org/vuls/id/553235
Comment 2 Jeff Johnston 2008-04-08 23:31:16 UTC 
The version of jetty in fedora is jetty5, not jetty6.  From the information
provided, it is only 6.1.5 and 6.1.6 and thus does not apply.  This bug should
be closed.  I will do so if I do not hear a reply as to why it should not be closed.
Comment 4 Red Hat Bugzilla 2009-10-23 19:04:11 UTC 
Reporter changed to security-response-team by request of Jay Turner.
Comment 5 Vincent Danen 2010-12-22 23:45:21 UTC 
Current Fedora has 6.1.21 or newer which is not affected by this flaw.
Note You need to log in before you can comment on or make changes to this bug.