Skip to content

Defect Jetty 11.x and 10.x End of Life checks #37

New issue
New issue
Open
Open
Defect Jetty 11.x and 10.x End of Life checks#37
@alt3kx

Description

@alt3kx
alt3kx
opened on Aug 21, 2022

Defect Jetty 11.x and 10.x End of Life checks
The Jetty EoL check does not work correctly. It only checks for the major version and thus generates a scan issue for Jetty 11.X.X and 10.X.X

Tested on Burp Pro version:
-Tested J2EEScan-1.2.6-jar-with-dependencies.jar version
J2EEScan1

-Tested public J2EEScan-2.0.1-dev-jar-with-dependencies.jar version
J2EEScan2

Defect Jetty 11.x.x
Defect11

Defect Jetty 10.x.x
Defect10

Defect 9.4.48,v202206.22 <= 9.4.x is now EoL References
https://github.com/eclipse/jetty.project/releases
https://www.eclipse.org/jetty/download.php

9 4 48

J2EEScan/src/main/java/burp/SoftwareVersions.java

Lines 70 to 94 in 1936af8

/**
* Jetty
*/
if (software.equalsIgnoreCase("Jetty")) {
/**
* End of Life - Jetty
*/
if ( Integer.parseInt(release.substring(0, 1)) < 9 ) {
callbacks.addScanIssue(new CustomScanIssue(
baseRequestResponse.getHttpService(),
requestInfo.getUrl(),
baseRequestResponse,
"End of Life Software - Jetty " + release,
"J2EEScan identified an unsupported release of Jetty <b>" + release + "</b>.<br />"
+ "No more security updates for this version will be released by the vendor <br /><br />"
+ "<b>References</b><br />"
+ "https://wiki.eclipse.org/Jetty/Starting/Jetty_Version_Comparison_Table<br />",
"Update the Jetty Container with the last stable release",
Risk.High,
Confidence.Certain
));
}
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions