{"id":"CVE-2017-9735","details":"Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.","aliases":["GHSA-wfcc-pff6-rgc5"],"modified":"2026-05-18T05:50:00.564539594Z","published":"2017-06-16T21:29:00.710Z","database_specific":{"unresolved_ranges":[{"source":"CPE_FIELD","cpes":["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"],"vendor_product":"debian:debian_linux","extracted_events":[{"last_affected":"9.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*"],"vendor_product":"eclipse:jetty","extracted_events":[{"introduced":"9.4.0"},{"fixed":"9.4.6"},{"introduced":"9.4.0"},{"fixed":"9.4.6"},{"introduced":"9.4.0"},{"fixed":"9.4.6"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.5.0:*:*:*:*:*:*:*"],"vendor_product":"oracle:communications_cloud_native_core_policy","extracted_events":[{"last_affected":"1.5.0"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*","cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:*"],"vendor_product":"oracle:enterprise_manager_base_platform","extracted_events":[{"last_affected":"13.2"},{"last_affected":"13.3"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:hospitality_guest_access","extracted_events":[{"last_affected":"4.2.0"},{"last_affected":"4.2.1"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*","cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*"],"vendor_product":"oracle:rest_data_services","extracted_events":[{"last_affected":"11.2.0.4"},{"last_affected":"12.1.0.2"},{"last_affected":"12.2.0.1"},{"last_affected":"18c"}]},{"source":"CPE_FIELD","cpes":["cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*","cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*"],"vendor_product":"oracle:retail_xstore_point_of_service","extracted_events":[{"last_affected":"7.1"},{"last_affected":"15.0"},{"last_affected":"16.0"},{"last_affected":"17.0"}]}]},"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/99104"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html"},{"type":"ADVISORY","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"ADVISORY","url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"type":"REPORT","url":"https://bugs.debian.org/864631"},{"type":"FIX","url":"https://github.com/eclipse/jetty.project/issues/1556"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jetty/jetty.project","events":[{"introduced":"0"},{"fixed":"0af30bce5aebb447f9e235b1634e8104490c1426"},{"introduced":"390f3200cce7f90f1f3ebc78013c1afea2f93db8"},{"fixed":"0f3b1cbe368f6d5aca01f3a3efc95ac41fff6035"}],"database_specific":{"source":"CPE_FIELD","cpe":"cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"9.2.22"},{"introduced":"9.3.0"},{"fixed":"9.3.20"}]}}],"versions":["jetty-9.3.19.v20170502","jetty-9.3.18.v20170406","jetty-9.3.17.v20170317","jetty-9.2.21.v20170120","jetty-9.2.20.v20161216","jetty-9.3.13.M0","jetty-9.2.19.v20160908","jetty-9.2.18.v20160721","jetty-9.2.15.v20160210","jetty-9.3.7.v20160115","jetty-9.3.7.RC1","jetty-9.3.4.v20151007","jetty-9.2.13.v20150730","jetty-9.2.12.v20150709","jetty-9.2.12.M0","jetty-9.2.11.v20150529","jetty-9.2.11.v20150528","jetty-9.2.11.M0","jetty-9.2.10.v20150310","jetty-9.2.9.v20150224","jetty-9.2.8.v20150217","jetty-9.2.7.v20150116","jetty-9.2.6.v20141205","jetty-9.2.6.v20141203","jetty-9.2.5.v20141112","jetty-9.2.4.v20141103","jetty-9.2.3.v20140905","jetty-9.2.2.v20140723","jetty-9.2.1.v20140609","jetty-9.2.0.v20140526","jetty-9.2.0.v20140523","jetty-9.2.0.RC0","jetty-9.2.0.M1","jetty-9.1.4.v20140401","jetty-9.2.0.M0","jetty-9.1.3.v20140225","jetty-9.1.2.v20140210","jetty-9.1.1.v20140108","jetty-9.1.0.v20131115","jetty-9.1.0.RC2","jetty-9.1.0.RC1","jetty-9.1.0.RC0","jetty-9.1.0.M0","jetty-8.1.0.RC0","jetty-8.0.0.RC0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-9735.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}