CVE-2009-1524 [Medium] | XSS in Jetty

CVE-2009-1524 is rated Low Risk (38.7/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 0.44%). Monitor for updates and reassess as exploit intelligence or EPSS changes.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2025-09-21	0.80%	0.44%	-0.36%
2	2025-09-04	0.45%	0.80%	+0.35%
3	2025-09-01	—	0.45%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2025-09-21

0.80%

0.44%

-0.36%

2025-09-04

0.45%

0.80%

+0.35%

2025-09-01

—

0.45%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
4.3	2.0	MEDIUM	`AV:N/AC:M/Au:N/C:N/I:P/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:M) Exploitation needs some favorable conditions, but not exceptional ones. Authentication (AU:N) No authentication is required. Confidentiality impact (C:N) No confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:N) No availability impact.	8.6	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

4.3

2.0

MEDIUM

AV:N/AC:M/Au:N/C:N/I:P/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:M): Exploitation needs some favorable conditions, but not exceptional ones.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:N): No confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:N): No availability impact.

8.6

2.9

[email protected]

OS Trackers for CVE-2009-1524

vendor	priority	summary	link
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2009-1524
`ubuntu`	medium	CVE-2009-1524 medium priority: Ubuntu including 1 source packages (jetty), 10 status rows across 10 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 5, ignored 4, released 1.	https://ubuntu.com/security/CVE-2009-1524

Affected software / configurations for CVE-2009-1524

Vendor	Product	Version	Raw CPE
mortbay	jetty	<= 6.1.16	cpe:2.3:a:mortbay:jetty::::::::
mortbay	jetty	1.0	cpe:2.3:a:mortbay:jetty:1.0:::::::*
mortbay	jetty	1.0.1	cpe:2.3:a:mortbay:jetty:1.0.1:::::::*
mortbay	jetty	1.1	cpe:2.3:a:mortbay:jetty:1.1:::::::*
mortbay	jetty	1.1.1	cpe:2.3:a:mortbay:jetty:1.1.1:::::::*
mortbay	jetty	1.2.0	cpe:2.3:a:mortbay:jetty:1.2.0:::::::*
mortbay	jetty	1.3.0	cpe:2.3:a:mortbay:jetty:1.3.0:::::::*
mortbay	jetty	1.3.1	cpe:2.3:a:mortbay:jetty:1.3.1:::::::*
mortbay	jetty	1.3.2	cpe:2.3:a:mortbay:jetty:1.3.2:::::::*
mortbay	jetty	1.3.3	cpe:2.3:a:mortbay:jetty:1.3.3:::::::*
mortbay	jetty	1.3.4	cpe:2.3:a:mortbay:jetty:1.3.4:::::::*
mortbay	jetty	1.3.5	cpe:2.3:a:mortbay:jetty:1.3.5:::::::*
mortbay	jetty	2.0	cpe:2.3:a:mortbay:jetty:2.0:alpha1::::::
mortbay	jetty	2.0	cpe:2.3:a:mortbay:jetty:2.0:alpha2::::::
mortbay	jetty	2.0	cpe:2.3:a:mortbay:jetty:2.0:beta1::::::
mortbay	jetty	2.0	cpe:2.3:a:mortbay:jetty:2.0:beta2::::::
mortbay	jetty	2.0.0	cpe:2.3:a:mortbay:jetty:2.0.0:::::::*
mortbay	jetty	2.0.1	cpe:2.3:a:mortbay:jetty:2.0.1:::::::*
mortbay	jetty	2.0.2	cpe:2.3:a:mortbay:jetty:2.0.2:::::::*
mortbay	jetty	2.0.3	cpe:2.3:a:mortbay:jetty:2.0.3:::::::*
mortbay	jetty	2.0.4	cpe:2.3:a:mortbay:jetty:2.0.4:::::::*
mortbay	jetty	2.0.5	cpe:2.3:a:mortbay:jetty:2.0.5:::::::*
mortbay	jetty	2.1.0	cpe:2.3:a:mortbay:jetty:2.1.0:::::::*
mortbay	jetty	2.1.1	cpe:2.3:a:mortbay:jetty:2.1.1:::::::*
mortbay	jetty	2.1.2	cpe:2.3:a:mortbay:jetty:2.1.2:::::::*
mortbay	jetty	2.1.3	cpe:2.3:a:mortbay:jetty:2.1.3:::::::*
mortbay	jetty	2.1.4	cpe:2.3:a:mortbay:jetty:2.1.4:::::::*
mortbay	jetty	2.1.5	cpe:2.3:a:mortbay:jetty:2.1.5:::::::*
mortbay	jetty	2.1.6	cpe:2.3:a:mortbay:jetty:2.1.6:::::::*
mortbay	jetty	2.1.7	cpe:2.3:a:mortbay:jetty:2.1.7:::::::*
mortbay	jetty	2.1.b0	cpe:2.3:a:mortbay:jetty:2.1.b0:::::::*
mortbay	jetty	2.1.b1	cpe:2.3:a:mortbay:jetty:2.1.b1:::::::*
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:alpha0::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:alpha1::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:beta0::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:beta1::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:beta2::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:beta3::::::
mortbay	jetty	2.2	cpe:2.3:a:mortbay:jetty:2.2:beta4::::::
mortbay	jetty	2.2.0	cpe:2.3:a:mortbay:jetty:2.2.0:::::::*
mortbay	jetty	2.2.1	cpe:2.3:a:mortbay:jetty:2.2.1:::::::*
mortbay	jetty	2.2.2	cpe:2.3:a:mortbay:jetty:2.2.2:::::::*
mortbay	jetty	2.2.3	cpe:2.3:a:mortbay:jetty:2.2.3:::::::*
mortbay	jetty	2.2.4	cpe:2.3:a:mortbay:jetty:2.2.4:::::::*
mortbay	jetty	2.2.5	cpe:2.3:a:mortbay:jetty:2.2.5:::::::*
mortbay	jetty	2.2.6	cpe:2.3:a:mortbay:jetty:2.2.6:::::::*
mortbay	jetty	2.2.7	cpe:2.3:a:mortbay:jetty:2.2.7:::::::*
mortbay	jetty	2.2.8	cpe:2.3:a:mortbay:jetty:2.2.8:::::::*
mortbay	jetty	2.3.0	cpe:2.3:a:mortbay:jetty:2.3.0:::::::*
mortbay	jetty	2.3.0a	cpe:2.3:a:mortbay:jetty:2.3.0a:::::::*
mortbay	jetty	2.3.1	cpe:2.3:a:mortbay:jetty:2.3.1:::::::*
mortbay	jetty	2.3.2	cpe:2.3:a:mortbay:jetty:2.3.2:::::::*
mortbay	jetty	2.3.3	cpe:2.3:a:mortbay:jetty:2.3.3:::::::*
mortbay	jetty	2.3.4	cpe:2.3:a:mortbay:jetty:2.3.4:::::::*
mortbay	jetty	2.3.5	cpe:2.3:a:mortbay:jetty:2.3.5:::::::*
mortbay	jetty	2.4.0	cpe:2.3:a:mortbay:jetty:2.4.0:::::::*
mortbay	jetty	2.4.1	cpe:2.3:a:mortbay:jetty:2.4.1:::::::*
mortbay	jetty	2.4.2	cpe:2.3:a:mortbay:jetty:2.4.2:::::::*
mortbay	jetty	2.4.3	cpe:2.3:a:mortbay:jetty:2.4.3:::::::*
mortbay	jetty	2.4.4	cpe:2.3:a:mortbay:jetty:2.4.4:::::::*
mortbay	jetty	2.4.5	cpe:2.3:a:mortbay:jetty:2.4.5:::::::*
mortbay	jetty	2.4.6	cpe:2.3:a:mortbay:jetty:2.4.6:::::::*
mortbay	jetty	2.4.7	cpe:2.3:a:mortbay:jetty:2.4.7:::::::*
mortbay	jetty	2.4.8	cpe:2.3:a:mortbay:jetty:2.4.8:::::::*
mortbay	jetty	2.4.9	cpe:2.3:a:mortbay:jetty:2.4.9:::::::*
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:::::::*
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc1::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc2::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc3::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc4::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc5::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc6::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc7::::::
mortbay	jetty	3.0.0	cpe:2.3:a:mortbay:jetty:3.0.0:rc8::::::
mortbay	jetty	3.0.1	cpe:2.3:a:mortbay:jetty:3.0.1:::::::*
mortbay	jetty	3.0.2	cpe:2.3:a:mortbay:jetty:3.0.2:::::::*
mortbay	jetty	3.0.3	cpe:2.3:a:mortbay:jetty:3.0.3:::::::*
mortbay	jetty	3.0.4	cpe:2.3:a:mortbay:jetty:3.0.4:::::::*
mortbay	jetty	3.0.5	cpe:2.3:a:mortbay:jetty:3.0.5:::::::*
mortbay	jetty	3.0.6	cpe:2.3:a:mortbay:jetty:3.0.6:::::::*

References for CVE-2009-1524

URL	Tags
http://itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02282388
http://jira.codehaus.org/browse/JETTY-980	Patch
http://secunia.com/advisories/34975	Vendor Advisory
http://secunia.com/advisories/40553
http://www.securityfocus.com/bid/34800
http://www.vupen.com/english/advisories/2010/1792
https://bugzilla.redhat.com/show_bug.cgi?id=499867

URL

CVE-2009-1524

Exploit prediction scoring system (EPSS) score for CVE-2009-1524

Common vulnerability scoring system (CVSS) metrics for CVE-2009-1524

Weakness enumeration for CVE-2009-1524

OS Trackers for CVE-2009-1524

Affected software / configurations for CVE-2009-1524

References for CVE-2009-1524