LiveActive security incident?Get immediate response
CVE Record

CVE-2009-5046: JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.

JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's Takemoderate

Analyst readout for executives and security teams

Plain-English summary

This CVE describes cross-site scripting in Jetty before 6.1.22, tied to the JSP Dump and Session Dump servlets. The business risk is mainly user or administrator browser compromise if those servlet pages are reachable. The bundle does not provide CVSS, CPEs, or evidence of active exploitation.

Executive priority

Prioritize remediation for internet-facing or administrator-used Jetty systems below 6.1.22. If no affected servlet functionality is deployed or reachable, urgency is lower, but obsolete Jetty versions should still be retired.

Technical view

The cited CVE record identifies XSS in Jetty before 6.1.22 involving JSP Dump and Session Dump Servlet behavior. No CWE, CVSS vector, affected CPE list, or detailed vendor remediation text is included in the bundle. Treat exposure as configuration-dependent and verify deployed Jetty versions and reachable dump servlet functionality.

Likely exposure

Likely exposure is older Jetty deployments before 6.1.22, especially where JSP Dump or Session Dump servlet functionality is present and reachable. The provided sources do not enumerate exact products, packages, CPEs, or deployment defaults.

Exploitation context

The bundle supports an XSS classification but does not show KEV listing or another cited source confirming active exploitation. Risk depends on whether a target user can be induced to access affected servlet content and whether the affected servlet is exposed.

Researcher notes

Evidence is sparse: the CVE description and title identify XSS in Jetty before 6.1.22, while the bundle lacks scoring and detailed affected configuration data. Do not assume broad exposure without confirming deployed version and servlet reachability.

Mitigation direction

  • Upgrade Jetty deployments before 6.1.22 to 6.1.22 or later.
  • Check vendor or distribution guidance for supported fixed package versions.
  • Restrict access to dump servlet functionality if business need exists.
  • Remove or disable unnecessary diagnostic servlet exposure after confirming operational impact.

Validation and detection

  • Inventory Jetty versions and flag any instance below 6.1.22.
  • Confirm whether JSP Dump or Session Dump servlet functionality is deployed.
  • Review external and internal routes for reachable diagnostic servlet pages.
  • Check Debian package status if using Debian-managed Jetty packages.
  • Review access logs for unexpected requests to dump servlet paths.
Prepared
Confidence
medium
Sources
5

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cve · low confidence lookup

CVE-2009-5046 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
4Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.