{"id":"UBUNTU-CVE-2017-9735","details":"Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.","modified":"2025-10-24T04:46:21Z","published":"2017-06-16T21:29:00Z","upstream":["CVE-2017-9735"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-9735"},{"type":"REPORT","url":"https://github.com/eclipse/jetty.project/issues/1556"},{"type":"REPORT","url":"https://github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02"},{"type":"REPORT","url":"https://github.com/eclipse/jetty.project/commit/f3751d70787fd8ab93932a51c60514c2eb37cb58"},{"type":"REPORT","url":"https://github.com/eclipse/jetty.project/commit/2baa1abe4b1c380a30deacca1ed367466a1a62ea"},{"type":"REPORT","url":"https://bugs.debian.org/864631"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2017-9735"}],"affected":[{"package":{"name":"jetty","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/jetty@6.1.26-1ubuntu1.2?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.26-1ubuntu1.2"}]}],"versions":["6.1.26-1ubuntu1","6.1.26-1ubuntu1.1"],"ecosystem_specific":{"binaries":[{"binary_version":"6.1.26-1ubuntu1.2","binary_name":"jetty"},{"binary_version":"6.1.26-1ubuntu1.2","binary_name":"libjetty-extra"},{"binary_version":"6.1.26-1ubuntu1.2","binary_name":"libjetty-extra-java"},{"binary_version":"6.1.26-1ubuntu1.2","binary_name":"libjetty-java"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9735.json"}},{"package":{"name":"jetty8","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/jetty8@8.1.3-9?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["8.1.3-8","8.1.3-9"],"ecosystem_specific":{"binaries":[{"binary_version":"8.1.3-9","binary_name":"jetty8"},{"binary_version":"8.1.3-9","binary_name":"libjetty8-extra-java"},{"binary_version":"8.1.3-9","binary_name":"libjetty8-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9735.json"}},{"package":{"name":"jetty","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/jetty@6.1.26-5ubuntu0.1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"6.1.26-5ubuntu0.1"}]}],"versions":["6.1.26-5"],"ecosystem_specific":{"binaries":[{"binary_version":"6.1.26-5ubuntu0.1","binary_name":"libjetty-extra"},{"binary_version":"6.1.26-5ubuntu0.1","binary_name":"libjetty-extra-java"},{"binary_version":"6.1.26-5ubuntu0.1","binary_name":"libjetty-java"}],"availability":"No subscription required"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9735.json"}},{"package":{"name":"jetty8","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/jetty8@8.1.19-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["8.1.17-2","8.1.18-1","8.1.18-2","8.1.18-3","8.1.19-1"],"ecosystem_specific":{"binaries":[{"binary_version":"8.1.19-1","binary_name":"jetty8"},{"binary_version":"8.1.19-1","binary_name":"libjetty8-extra-java"},{"binary_version":"8.1.19-1","binary_name":"libjetty8-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9735.json"}},{"package":{"name":"jetty9","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/jetty9@9.2.14-1?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["9.2.14-1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.2.14-1","binary_name":"jetty9"},{"binary_version":"9.2.14-1","binary_name":"libjetty9-extra-java"},{"binary_version":"9.2.14-1","binary_name":"libjetty9-java"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2017/UBUNTU-CVE-2017-9735.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}]}