Jetty Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability - CVE-2009-5047

Jetty 6.x through 6.1.22 suffers from an escape sequence injection vulnerability from an attack vector by means of: 1) quotCookie Dump Servletquot and 2) Http Content-Length header. 1) A POST request to the form at quot/test/cookie/quot with the quotAgequot parameter set to a string throws a quotjava.lang.NumberFormatExceptionquot which reflects binary characters including ESC. These characters could be used to execute arbitrary commands or buffer dumps in the terminal. 2) The attack vector in 1) can be exploited by requesting a page using an HTTP request quotContent-Lengthquot header set to a consonant string (string including only letters).