{"id":"CVE-2016-4800","details":"The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.","aliases":["GHSA-872g-2h8h-362q"],"modified":"2026-04-10T03:52:30.510906Z","published":"2017-04-13T14:59:01.760Z","references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/90945"},{"type":"ADVISORY","url":"http://www.zerodayinitiative.com/advisories/ZDI-16-362"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20190307-0006/"},{"type":"FIX","url":"http://dev.eclipse.org/mhonarc/lists/jetty-announce/msg00092.html"},{"type":"FIX","url":"http://www.ocert.org/advisories/ocert-2016-001.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/jetty.project","events":[{"introduced":"0"},{"last_affected":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"introduced":"0"},{"last_affected":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"introduced":"0"},{"last_affected":"224f63adf3cb5709e0c4ce97e87cb6d2d080cf06"},{"introduced":"0"},{"last_affected":"18acd5e78e1325485299fa6e2e2ac834df8424b0"},{"introduced":"0"},{"last_affected":"299458fe51e7127429720e8a7ebf8f2bb421ecf6"},{"introduced":"0"},{"last_affected":"bc673eab1a2d21e568cde2cf786ee062529ab3d2"},{"introduced":"0"},{"last_affected":"cae7e6543057a603e021dfff8453ecae95816130"},{"introduced":"0"},{"last_affected":"0484a0b3ec71d06f2ee29161bd000a9669dca4fd"},{"introduced":"0"},{"last_affected":"29722bd8803e76bbdbf70266cb9399560c10b712"},{"introduced":"0"},{"last_affected":"d737e1c638653988ce7d8e5bfb89859347e1c306"},{"introduced":"0"},{"last_affected":"c0b191119b74afafb6b59ecaa9d7a66dae056498"},{"introduced":"0"},{"last_affected":"e81912f98c9af8927fdc0505df7011c1e368112a"},{"introduced":"0"},{"last_affected":"21ca3f6690bff813c546a1da4bb7950c3f91a814"},{"introduced":"0"},{"last_affected":"bee564c7d942447f02e8d87a2ea5fe30e651a59c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"9.3.0"},{"introduced":"0"},{"last_affected":"9.3.0-m0"},{"introduced":"0"},{"last_affected":"9.3.0-m1"},{"introduced":"0"},{"last_affected":"9.3.0-maintenance2"},{"introduced":"0"},{"last_affected":"9.3.0-rc0"},{"introduced":"0"},{"last_affected":"9.3.0-rc1"},{"introduced":"0"},{"last_affected":"9.3.4-rc0"},{"introduced":"0"},{"last_affected":"9.3.4-rc1"},{"introduced":"0"},{"last_affected":"9.3.5"},{"introduced":"0"},{"last_affected":"9.3.6"},{"introduced":"0"},{"last_affected":"9.3.7"},{"introduced":"0"},{"last_affected":"9.3.7-rc0"},{"introduced":"0"},{"last_affected":"9.3.7-rc1"},{"introduced":"0"},{"last_affected":"9.3.8-rc0"}]}}],"versions":["jetty-8.0.0.RC0","jetty-8.1.0.RC0","jetty-9.1.0.M0","jetty-9.1.0.RC0","jetty-9.1.0.RC1","jetty-9.1.0.RC2","jetty-9.1.0.v20131115","jetty-9.1.1.v20140108","jetty-9.1.2.v20140210","jetty-9.1.3.v20140225","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.2.0.M1","jetty-9.2.0.RC0","jetty-9.2.0.v20140523","jetty-9.2.0.v20140526","jetty-9.2.1.v20140609","jetty-9.3.0.M0","jetty-9.3.0.M1","jetty-9.3.0.M2","jetty-9.3.0.RC0","jetty-9.3.0.RC1","jetty-9.3.4.RC0","jetty-9.3.4.RC1","jetty-9.3.4.v20151007","jetty-9.3.5.v20151012","jetty-9.3.6.v20151106","jetty-9.3.7.RC0","jetty-9.3.7.RC1","jetty-9.3.7.v20160115","jetty-9.3.8.RC0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-4800.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"9.3.1"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.2"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.3"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.4"}]},{"events":[{"introduced":"0"},{"last_affected":"9.3.8"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}