{"id":"CVE-2017-9735","details":"Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.","aliases":["GHSA-wfcc-pff6-rgc5"],"modified":"2026-04-16T06:25:19.587268026Z","published":"2017-06-16T21:29:00.710Z","references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99104"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"REPORT","url":"https://bugs.debian.org/864631"},{"type":"FIX","url":"https://github.com/eclipse/jetty.project/issues/1556"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"0"},{"fixed":"0af30bce5aebb447f9e235b1634e8104490c1426"},{"introduced":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"fixed":"0f3b1cbe368f6d5aca01f3a3efc95ac41fff6035"},{"introduced":"0"},{"last_affected":"883fe0e8317a89c46b49465bac2dcd07166e714c"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.2.22"},{"introduced":"9.3.0"},{"fixed":"9.3.20"},{"introduced":"0"},{"last_affected":"9.0"}]}}],"versions":["jetty-8.0.0.RC0","jetty-8.1.0.RC0","jetty-9.0.x","jetty-9.1.0.M0","jetty-9.1.0.RC0","jetty-9.1.0.RC1","jetty-9.1.0.RC2","jetty-9.1.0.v20131115","jetty-9.1.1.v20140108","jetty-9.1.2.v20140210","jetty-9.1.3.v20140225","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.2.0.M1","jetty-9.2.0.RC0","jetty-9.2.0.v20140523","jetty-9.2.0.v20140526","jetty-9.2.1.v20140609","jetty-9.2.10.v20150310","jetty-9.2.11.M0","jetty-9.2.11.v20150528","jetty-9.2.11.v20150529","jetty-9.2.12.M0","jetty-9.2.12.v20150709","jetty-9.2.13.v20150730","jetty-9.2.15.v20160210","jetty-9.2.18.v20160721","jetty-9.2.19.v20160908","jetty-9.2.2.v20140723","jetty-9.2.20.v20161216","jetty-9.2.21.v20170120","jetty-9.2.3.v20140905","jetty-9.2.4.v20141103","jetty-9.2.5.v20141112","jetty-9.2.6.v20141203","jetty-9.2.6.v20141205","jetty-9.2.7.v20150116","jetty-9.2.8.v20150217","jetty-9.2.9.v20150224","jetty-9.3.13.M0","jetty-9.3.17.v20170317","jetty-9.3.18.v20170406","jetty-9.3.19.v20170502","jetty-9.3.4.v20151007","jetty-9.3.7.RC1","jetty-9.3.7.v20160115"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-9735.json","unresolved_ranges":[{"events":[{"introduced":"9.4.0"},{"fixed":"9.4.6"}]},{"events":[{"introduced":"0"},{"last_affected":"1.5.0"}]},{"events":[{"introduced":"0"},{"last_affected":"13.2"}]},{"events":[{"introduced":"0"},{"last_affected":"13.3"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.0"}]},{"events":[{"introduced":"0"},{"last_affected":"4.2.1"}]},{"events":[{"introduced":"0"},{"last_affected":"11.2.0.4"}]},{"events":[{"introduced":"0"},{"last_affected":"12.1.0.2"}]},{"events":[{"introduced":"0"},{"last_affected":"12.2.0.1"}]},{"events":[{"introduced":"0"},{"last_affected":"18c"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"16.0"}]},{"events":[{"introduced":"0"},{"last_affected":"17.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}