CVE-2005-3747 in Jetty
Summary
by MITRE
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving requests for .jsp files with URL-encoded backslash ("%5C") characters. NOTE: this might be the same issue as CVE-2006-2758.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/30/2025
The vulnerability identified as CVE-2005-3747 represents a critical information disclosure weakness within the Jetty web server software family prior to version 5.1.6. This issue falls under the broader category of insecure direct object references and improper access control mechanisms that can lead to unauthorized data exposure. The vulnerability specifically affects the handling of Uniform Resource Identifiers containing URL-encoded backslash characters, creating an avenue for malicious actors to access sensitive server-side resources that should remain protected from public view.
The technical exploitation of this vulnerability occurs through the manipulation of URL request parameters where attackers can use the percent-encoded backslash character "%5C" to traverse directory structures within the web server's file system. When Jetty processes these malformed requests, it fails to properly sanitize or validate the incoming path information, allowing the server to interpret the encoded backslash as a legitimate directory traversal sequence. This misconfiguration enables attackers to request JSP files and potentially gain access to the underlying source code of web applications running on the server. The vulnerability demonstrates a classic path traversal flaw that operates at the application layer of the network stack and can be classified under CWE-22, which specifically addresses improper limitation of a pathname to a restricted directory.
The operational impact of this vulnerability extends beyond simple information disclosure, as the exposure of JSP source code provides attackers with detailed insights into the application's implementation logic, database connection strings, and potential security mechanisms. This information can be leveraged to craft more sophisticated attacks targeting other components of the web application or to develop additional exploits that may not have been initially apparent. The vulnerability affects organizations running older versions of Jetty where proper input validation and access control measures have not been implemented or updated, creating a significant risk for any enterprise that has not performed routine security maintenance on their web server infrastructure.
Security practitioners should consider this vulnerability in the context of the broader ATT&CK framework, particularly under the techniques related to credential access and reconnaissance activities where adversaries attempt to gather information about target systems. The vulnerability's potential overlap with CVE-2006-2758 suggests a pattern of similar issues that may have affected other web server implementations, highlighting the importance of thorough vulnerability assessment and patch management procedures. Organizations should prioritize immediate remediation by upgrading to Jetty version 5.1.6 or later, implementing proper input validation at the application level, and configuring web server access controls to prevent directory traversal attempts. Additional mitigations include deploying web application firewalls that can detect and block suspicious URL patterns, implementing proper logging and monitoring of unusual file access requests, and conducting regular security assessments to identify similar vulnerabilities that may exist within the application stack.