Moderate severityNVD Advisory· Published Dec 5, 2007· Updated Apr 23, 2026
CVE-2007-5615
CVE-2007-5615
Description
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.mortbay.jetty:jettyMaven | < 6.1.6rc0 | 6.1.6rc0 |
Affected products
1Patches
10d2592ea3183JETTY-376 allow anything but CRLF in reason string
3 files changed · +9 −3
modules/jetty/src/main/java/org/mortbay/jetty/AbstractGenerator.java+4 −1 modified@@ -361,8 +361,11 @@ public void setResponse(int status, String reason) for (int i=0;i<len;i++) { char ch = reason.charAt(i); - if (ch==' ' || Character.isJavaIdentifierPart(ch)) + if (ch!='\r'&&ch!='\n') _reason.put((byte)ch); + else + + _reason.put((byte)' '); } } }
modules/jetty/src/test/java/org/mortbay/jetty/HttpGeneratorTest.java+4 −2 modified@@ -78,7 +78,7 @@ public void testHTTP() endp.reset(); fields.clear(); - tr[r].build(v,hb,null,connect[c],null,chunks, fields); + tr[r].build(v,hb,"OK\r\nTest",connect[c],null,chunks, fields); String response=endp.getOut().toString(); // System.out.println("RESPONSE: "+t+"\n"+response+(hb.isPersistent()?"...\n":"---\n")); @@ -109,6 +109,9 @@ public void testHTTP() else assertTrue(t,hb.isPersistent() || c==2 || c==3); + if (v>9) + assertEquals("OK Test",f2); + assertTrue(t,tr[r].values[1]==null || content.length()==Integer.parseInt(tr[r].values[1])); } } @@ -199,7 +202,6 @@ public String toString() /* 7 */ new TR(200,"text/html",""+CONTENT.length(),CONTENT), }; - String content; String f0; String f1;
VERSION.txt+1 −0 modified@@ -22,6 +22,7 @@ jetty-SNAPSHOT + Cached user agents strings in the /org/mortbay/jetty/useragents resource + Make default time format for RequestLog match NCSA default + JETTY-311 avoid json keywords + + JETTY-376 allow anything but CRLF in reason string + JETTY-398 Allow same WADI Dispatcher to be used across multiple web-app contexts + JETTY-400 consume CGI stderr + JETTY-402 keep HashUserRealm in sync with file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/advisories/GHSA-966r-962g-2jq5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2007-5615ghsaADVISORY
- lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlnvdWEB
- www.kb.cert.org/vuls/id/212984nvdUS Government ResourceWEB
- github.com/jetty-project/codehaus-jetty6/commit/0d2592ea3183914163d0921e4855bd3e18582a05ghsaWEB
- web.archive.org/web/20071007232422/http://svn.codehaus.org:80/jetty/jetty/trunk/VERSION.txtghsaWEB
- web.archive.org/web/20150112202621/http://www.securityfocus.com/bid/26696ghsaWEB
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00227.htmlnvdWEB
- www.redhat.com/archives/fedora-package-announce/2008-July/msg00250.htmlnvdWEB
- osvdb.org/42495nvd
- secunia.com/advisories/27925nvd
- secunia.com/advisories/30941nvd
- secunia.com/advisories/35143nvd
- svn.codehaus.org/jetty/jetty/trunk/VERSION.txtnvd
- www.securityfocus.com/bid/26696nvd
News mentions
0No linked articles in our index yet.