High severity7.5NVD Advisory· Published Jun 16, 2017· Updated May 13, 2026

CVE-2017-9735

Description

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.eclipse.jetty:jetty-serverMaven	>= 9.4.0, < 9.4.6.v20170531	9.4.6.v20170531
org.eclipse.jetty:jetty-serverMaven	>= 9.3.0, < 9.3.20.v20170531	9.3.20.v20170531
org.eclipse.jetty:jetty-serverMaven	< 9.2.22.v20170606	9.2.22.v20170606

Affected products

Eclipse/Jetty
cpe:2.3:a:eclipse:jetty:*:*:*:*:*:*:*:*
Range: <9.2.22
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Oracle Corporation/Communications Cloud Native Core Policy
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.5.0:*:*:*:*:*:*:*
Oracle Corporation/Enterprise Manager Base Platform2 versions
cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3:*:*:*:*:*:*:*
Oracle Corporation/Hospitality Guest Access2 versions
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*
Oracle Corporation/Rest Data Services4 versions
cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*+ 3 more
- cpe:2.3:a:oracle:rest_data_services:11.2.0.4:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.1.0.2:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:12.2.0.1:*:*:*:-:*:*:*
- cpe:2.3:a:oracle:rest_data_services:18c:*:*:*:-:*:*:*
Oracle Corporation/Retail Xstore Point Of Service4 versions
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*

Patches

042f325f1cd6

https://github.com/eclipse/jetty.projectvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/eclipse/jetty.project/issues/1556nvdIssue TrackingPatchThird Party AdvisoryWEB
www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlnvdPatchThird Party AdvisoryWEB
www.securityfocus.com/bid/99104nvdThird Party AdvisoryVDB Entry
bugs.debian.org/864631nvdIssue TrackingMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-wfcc-pff6-rgc5ghsaADVISORY
lists.debian.org/debian-lts-announce/2021/05/msg00016.htmlnvdMailing ListThird Party AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2017-9735ghsaADVISORY
www.oracle.com//security-alerts/cpujul2021.htmlnvdThird Party AdvisoryWEB
www.oracle.com/security-alerts/cpuoct2020.htmlnvdThird Party AdvisoryWEB
github.com/eclipse/jetty.project/commit/042f325f1cd6e7891d72c7e668f5947b5457dc02ghsaWEB
lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3EghsaWEB
lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559@%3Ccommon-dev.hadoop.apache.org%3EghsaWEB
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3EghsaWEB
lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a@%3Ccommon-issues.hadoop.apache.org%3EghsaWEB
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3EghsaWEB
lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3EghsaWEB
web.archive.org/web/20170826163336/http://www.securityfocus.com/bid/99104ghsaWEB
lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272%40%3Cissues.activemq.apache.org%3Envd
lists.apache.org/thread.html/36870f6c51f5bc25e6f7bb1fcace0e57e81f1524019b11f466738559%40%3Ccommon-dev.hadoop.apache.org%3Envd
lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3Envd
lists.apache.org/thread.html/f887a5978f5e4c62b9cfe876336628385cff429e796962649649ec8a%40%3Ccommon-issues.hadoop.apache.org%3Envd
lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3Envd
lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3Envd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000