CVE-2002-1533: Jetty Javascript Inclusion Vulnerability
N/A
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.85821%
CWE
Published
4/30/2022
Updated
2/12/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
-
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.mortbay.jetty:jetty | maven | < 4.1.1 | 4.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability exists in how Jetty's JspServlet handles filenames containing XSS payloads with encoded linefeeds. The service method of JspServlet is the entry point for processing .jsp requests and would be responsible for handling the filename parameter from the URI. In vulnerable versions, this method likely directly used the filename in HTML responses without proper sanitization, allowing script injection when the filename contains %0a characters. The confidence is medium as we're inferring based on vulnerability description patterns rather than explicit patch code.