[jetty-announce] CVE-2015-2080 : JetLeak Vulnerability Remote Leakage of Shared Buffers in Jetty
A Security Vulnerability in Jetty 9.2.3.v20140905 through 9.2.8.v20150217 (including 9.3.0.M0 and 9.3.0.M1 currently in beta/milestones) was recently discovered by Gotham Digital Science and Stephen Komal.
Note: Jetty 9.2.9.v20150224 release has fix. A new release of Jetty 9.3.0 (currently in unstable beta/milestones) is being worked on.
We would like to thank Gotham Digital Science and Stephen Komal on their timely notice and excellent detailed analysis on this issue. Based on their feedback we were able to quickly resolve the problem and determine the necessary steps to take to remediate the issue.
We determined that the severity of this bug was high enough that getting a release out and publishing the details was vital and important to our user base. We independently made the decision to publish the details of this vulnerability well ahead of the normal CVE disclosure process.