org.eclipse.jetty:jetty-server
Maven25 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting org.eclipse.jetty:jetty-serverpage 1 of 1
- CVE-2006-6969NONECVSS 0.0EG 0.0✓ Fixed in 6.1.0pre32007-02-07
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute for…
- CVE-2011-4461MEDIUMCVSS 5.3EG 5.3✓ Fixed in 8.1.0.RC42011-12-30
vulnerable: 7.0.0.M0 ... 8.1.0.RC2 (87 versions)
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many craft…
- CVE-2015-2080HIGHCVSS 7.5EG 9.0✓ Fixed in 9.2.9.v201502242016-10-07
vulnerable: 7.0.0.M0 ... 9.2.8.v20150217 (153 versions)
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
- CVE-2016-4800CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.3.92017-04-13
vulnerable: 9.3.0.v20150612 ... 9.3.9.M1 (16 versions)
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped character…
- CVE-2017-7656HIGHCVSS 7.5EG 7.5✓ Fixed in 9.4.11.v201806052018-06-26
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (23 versions)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) t…
- CVE-2017-7657CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.3.24.v201806052018-06-26
vulnerable: 9.3.0.v20150612 ... 9.3.9.v20160517 (37 versions)
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integ…
- CVE-2017-7658CRITICALCVSS 9.8EG 9.8✓ Fixed in 9.4.11.v201806052018-06-26
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (23 versions)
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-l…
- CVE-2017-9735HIGHCVSS 7.5EG 7.5✓ Fixed in 9.2.22.v201706062017-06-16
vulnerable: 7.0.0.M0 ... 9.2.9.v20150224 (168 versions)
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
- CVE-2018-12536MEDIUMCVSS 5.3EG 5.3✓ Fixed in 9.3.24.v201806052018-06-27
vulnerable: 9.0.0.v20130308 ... 9.3.9.v20160517 (97 versions)
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file se…
- CVE-2018-12538HIGHCVSS 8.8EG 8.8✓ Fixed in 9.4.11.v201806052018-06-22
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (23 versions)
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even dele…
- CVE-2018-12545HIGHCVSS 7.5EG 7.5✓ Fixed in 9.3.25.v201809042019-03-27
vulnerable: 9.3.0.v20150612 ... 9.3.9.v20160517 (38 versions)
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability i…
- CVE-2019-10241MEDIUMCVSS 6.1EG 6.1✓ Fixed in 9.4.16.v201904112019-04-22
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (31 versions)
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configure…
- CVE-2019-10246MEDIUMCVSS 5.3EG 5.3✓ Fixed in 9.4.17.v201904182019-04-22
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (32 versions)
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of d…
- CVE-2019-10247MEDIUMCVSS 5.3EG 5.3✓ Fixed in 9.4.17.v201904182019-04-22
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (32 versions)
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the outp…
- CVE-2019-17632MEDIUMCVSS 6.1EG 6.1✓ Fixed in 9.4.24.v201911202019-11-25
vulnerable: 9.4.23.v20191118
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces incl…
- CVE-2019-17638CRITICALCVSS 9.4EG 9.4✓ Fixed in 9.4.30.v202006112020-07-09
vulnerable: 9.4.27.v20200227, 9.4.28.v20200408, 9.4.29.v20200521
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is relea…
- CVE-2020-27218MEDIUMCVSS 4.8EG 4.8✓ Fixed in 9.4.35.v202011202020-11-28
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (50 versions)
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connectio…
- CVE-2020-27223MEDIUMCVSS 5.2EG 5.2✓ Fixed in 11.0.12021-02-26
vulnerable: 11.0.0
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of…
- CVE-2021-28165HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.22021-04-01
vulnerable: 11.0.0, 11.0.1
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2021-34428LOWCVSS 2.9EG 2.9✓ Fixed in 11.0.32021-06-22
vulnerable: 11.0.0, 11.0.1, 11.0.2
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessi…
- CVE-2022-2191HIGHCVSS 7.5EG 7.5✓ Fixed in 11.0.102022-07-07
vulnerable: 11.0.0 ... 11.0.9 (10 versions)
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
- CVE-2023-26048MEDIUMCVSS 5.3EG 5.3✓ Fixed in 11.0.142023-04-18
vulnerable: 11.0.0 ... 11.0.9 (14 versions)
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `…
- CVE-2023-26049LOWCVSS 2.4EG 2.4✓ Fixed in 12.0.0.beta02023-04-18
vulnerable: 12.0.0.alpha0, 12.0.0.alpha1, 12.0.0.alpha2, 12.0.0.alpha3
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism…
- CVE-2024-13009HIGHCVSS 7.2EG 7.2✓ Fixed in 9.4.57.v202412192025-05-08
vulnerable: 9.4.0.v20161208 ... 9.4.9.v20180320 (72 versions)
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
- CVE-2024-8184MEDIUMCVSS 5.9EG 5.9✓ Fixed in 9.4.562024-10-14
vulnerable: 9.3.12.v20160915 ... 9.4.9.v20180320 (100 versions)
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger Out…
Check whether org.eclipse.jetty:jetty-server is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for org.eclipse.jetty:jetty-server CVEs against the assets you own.
Start Free Scan →