Miggo Logo

CVE-2002-1533: Jetty Javascript Inclusion Vulnerability

N/A

CVSS Score

Basic Information

EPSS Score
0.85821%
Published
4/30/2022
Updated
2/12/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.mortbay.jetty:jettymaven< 4.1.14.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability exists in how Jetty's JspServlet handles filenames containing XSS payloads with encoded linefeeds. The service method of JspServlet is the entry point for processing .jsp requests and would be responsible for handling the filename parameter from the URI. In vulnerable versions, this method likely directly used the filename in HTML responses without proper sanitization, allowing script injection when the filename contains %0a characters. The confidence is medium as we're inferring based on vulnerability description patterns rather than explicit patch code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* s*riptin* (XSS) vuln*r**ility in J*tty JSP s*rvl*t *n*in* *llows r*mot* *tt**k*rs to ins*rt *r*itr*ry *TML or s*ript vi* *n *TTP r*qu*st to * .jsp *il* w*os* n*m* *ont*ins t** m*li*ious s*ript *n* som* *n*o*** lin***** ***r**t*rs (`%**`).

Reasoning

T** vuln*r**ility *xists in *ow J*tty's JspS*rvl*t **n*l*s *il*n*m*s *ont*inin* XSS p*ylo**s wit* *n*o*** lin*****s. T** s*rvi** m*t*o* o* JspS*rvl*t is t** *ntry point *or pro**ssin* .jsp r*qu*sts *n* woul* ** r*sponsi*l* *or **n*lin* t** *il*n*m* p