Latest eclipse jetty Vulnerabilities

HTTP/2 HPACK integer overflow and buffer allocation
debian/jetty9<=9.4.16-0+deb10u1<=9.4.39-3+deb11u2
redhat/http2-hpack<10.0.16
redhat/http2-hpack<11.0.16
redhat/http2-hpack<9.4.53
redhat/http3-qpack<10.0.16
redhat/http3-qpack<11.0.161
and 15 more
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
Jetty's OpenId Revoked authentication allows one request
Eclipse Jetty>=9.4.21<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
Eclipse Jetty>=11.0.0<11.0.16
Debian Debian Linux=11.0
Debian Debian Linux=12.0
maven/org.eclipse.jetty:jetty-openid>=11.0.0<=11.0.15
and 8 more
### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such reque...
maven/org.eclipse.jetty:jetty-http=12.0.0
maven/org.eclipse.jetty:jetty-http>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-http>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-http>=9.0.0<=9.4.51
Eclipse Jetty>=9.0.0<9.4.52
Eclipse Jetty>=10.0.0<10.0.16
and 17 more
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user send...
maven/org.eclipse.jetty.ee8:jetty-ee8-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee9:jetty-ee9-servlets<=12.0.0-beta1
maven/org.eclipse.jetty.ee10:jetty-ee10-servlets<=12.0.0-beta1
maven/org.eclipse.jetty:jetty-servlets>=11.0.0<=11.0.15
maven/org.eclipse.jetty:jetty-servlets>=10.0.0<=10.0.15
maven/org.eclipse.jetty:jetty-servlets>=9.0.0<=9.4.51
and 18 more
Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=12.0.0alpha0<12.0.0.beta0
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
and 18 more
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when t...
maven/org.eclipse.jetty:jetty-server<9.4.51.v20230217
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.14
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.14
Eclipse Jetty<9.4.51
Eclipse Jetty>=10.0.0<10.0.14
Eclipse Jetty>=11.0.0<11.0.14
and 5 more
Eclipse Jetty is vulnerable to a denial of service, caused by a flaw with SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. By sending a specially-...
Eclipse Jetty>=10.0.0<=10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
IBM Cognos Command Center<=10.2.4.1
### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the...
redhat/jenkins<0:2.401.1.1686831596-3.el8
redhat/jenkins<0:2.361.1.1672840472-1.el8
redhat/jenkins<0:2.361.1.1675668150-1.el8
maven/org.eclipse.jetty.http2:http2-server>=11.0.0<11.0.10
maven/org.eclipse.jetty.http2:http2-server>=10.0.0<10.0.10
maven/org.eclipse.jetty.http2:http2-server<9.4.47
and 14 more
Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this...
Eclipse Jetty<9.4.46
Eclipse Jetty>=10.0.0<10.0.9
Eclipse Jetty>=11.0.0<=11.0.9
Debian Debian Linux=10.0
Debian Debian Linux=11.0
Netapp Element Plug-in For Vcenter Server
and 6 more
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security co...
redhat/jetty<9.4.43
redhat/jetty<10.0.6
redhat/jetty<11.0.6
Eclipse Jetty>=9.4.37<9.4.43
Eclipse Jetty>=10.0.1<10.0.6
Eclipse Jetty>=11.0.1<11.0.6
and 19 more
Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() me...
redhat/jenkins<0:2.289.3.1630554997-1.el8
IBM Cognos Command Center<=10.2.4.1
debian/jetty9
redhat/jetty<9.4.41
redhat/jetty<10.0.3
redhat/jetty<11.0.3
and 19 more
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker coul...
redhat/jenkins<0:2.289.3.1630554997-1.el8
Eclipse Jetty<9.4.41
Eclipse Jetty>=10.0.0<10.0.3
Eclipse Jetty>=11.0.0<11.0.3
Debian Debian Linux=9.0
Debian Debian Linux=10.0
and 9 more
### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU re...
maven/org.eclipse.jetty:jetty-server>=11.0.0<11.0.2
maven/org.eclipse.jetty:jetty-server>=10.0.0<10.0.2
maven/org.eclipse.jetty:jetty-server>=7.2.2<9.4.39
redhat/rh-eclipse-jetty<0:9.4.40-1.1.el7_9
redhat/jenkins<0:2.277.3.1620393611-1.el8
redhat/runc<0:1.0.0-95.rhaos4.8.gitcd80260.el8
and 29 more
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper input validation by the default compliance mode. By sending specially-crafted requests with URIs that co...
redhat/rh-eclipse-jetty<0:9.4.40-1.1.el7_9
redhat/jetty<9.4.39
Eclipse Jetty=9.4.37-20210219
Eclipse Jetty=9.4.38-20210224
NetApp Cloud Manager
Netapp E-series Performance Analyzer
and 16 more
Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink. By sen...
redhat/rh-eclipse-jetty<0:9.4.40-1.1.el7_9
redhat/jenkins<0:2.277.3.1620393611-1.el8
redhat/runc<0:1.0.0-95.rhaos4.8.gitcd80260.el8
redhat/jetty<9.4.39
redhat/jetty<10.0.2
redhat/jetty<11.0.2
and 33 more
Eclipse Jetty is vulnerable to a denial of service, caused by an error when handling a request containing multiple Accept headers with a large number of quality parameters. By sending a specially-craf...
redhat/jenkins<0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
debian/jetty9
redhat/jetty-9.4.37.v20210219 jetty-10.0.1 jetty<11.0.1
Eclipse Jetty>=9.4.7<9.4.36
and 25 more
### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received en...
redhat/jenkins<0:2.289.1.1624365627-1.el7
redhat/jenkins<0:2.277.3.1623846768-1.el7
redhat/jenkins<0:2.277.3.1623853726-1.el8
Eclipse Jetty>=9.4.0<9.4.35
Eclipse Jetty=10.0.0-alpha0
Eclipse Jetty=10.0.0-alpha1
and 31 more
### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the sh...
redhat/rh-eclipse<1:4.17-6.el7_9
redhat/rh-eclipse-ant<0:1.10.9-1.2.el7
redhat/rh-eclipse-antlr32<0:3.2-28.1.el7
redhat/rh-eclipse-apache-sshd<1:2.4.0-5.1.el7
redhat/rh-eclipse-apiguardian<0:1.1.0-6.1.el7
redhat/rh-eclipse-args4j<0:2.33-12.2.el7
and 108 more
Eclipse Jetty, as bundled in Jenkins, could allow a remote attacker to obtain sensitive information, caused by an issue with corrupt HTTP response buffer being sent to different clients. By sending a ...
redhat/jenkins<0:2.235.5.1600415953-1.el7
redhat/jenkins<0:2.235.5.1600415514-1.el7
redhat/jenkins<0:2.235.5.1600414805-1.el7
Eclipse Jetty=9.4.27-20200227
Eclipse Jetty=9.4.28-20200408
Eclipse Jetty=9.4.29-20200521
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
Eclipse Jetty<6.1.22
Debian Debian Linux=8.0
debian/jetty
Dump Servlet information leak in jetty before 6.1.22.
Eclipse Jetty<6.1.22
Debian Debian Linux=8.0
debian/jetty
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw when configured for showing a listing of directory contents. By sending a specially-crafted request, a rem...
Eclipse Jetty=9.2.27-20190403
Eclipse Jetty=9.3.26-20190403
Eclipse Jetty=9.4.16-20190411
Microsoft Windows
NetApp OnCommand System Manager>=3.0<=3.1.3
NetApp Snap Creator Framework
and 49 more
Eclipse Jetty is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the DefaultServlet and ResourceHandler. A remote attacker could exploit this vulnerability ...
Eclipse Jetty=9.2.0-20140523
Eclipse Jetty=9.2.0-20140526
Eclipse Jetty=9.2.0-maintenance_0
Eclipse Jetty=9.2.0-maintenance_1
Eclipse Jetty=9.2.0-rc0
Eclipse Jetty=9.2.1-20140609
and 138 more
Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the DefaultHandler. By sending a specially-crafted request, a remote attacker could exploit this vulner...
Eclipse Jetty=7.0.0-20091005
Eclipse Jetty=7.0.0-maintenance_0
Eclipse Jetty=7.0.0-maintenance_1
Eclipse Jetty=7.0.0-maintenance_2
Eclipse Jetty=7.0.0-maintenance_3
Eclipse Jetty=7.0.0-maintenance_4
and 331 more
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many sma...
Eclipse Jetty=9.3.0-20150601
Eclipse Jetty=9.3.0-20150608
Eclipse Jetty=9.3.0-20150612
Eclipse Jetty=9.3.0-maintenance0
Eclipse Jetty=9.3.0-maintenance1
Eclipse Jetty=9.3.0-maintenance2
and 80 more
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled...
IBM Cognos Command Center<=10.2.4.1
Eclipse Jetty>=9.0.0<=9.2.26
Eclipse Jetty>=9.3.0<9.3.24
Eclipse Jetty>=9.4.0<9.4.11
Oracle Retail Xstore Point of Service=7.1
Oracle Retail Xstore Point of Service=15.0
and 2 more
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by improper handling of Chunked Transfer-Encoding chunk size. By sending a specially-crafted request, an attacker could exploit this vulne...
debian/jetty9
IBM Cognos Command Center<=10.2.4.1
Eclipse Jetty<=9.2.26
Eclipse Jetty>=9.3.0<9.3.24
Eclipse Jetty>=9.4.0<9.4.11
Debian Debian Linux=9.0
and 25 more
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line ...
debian/jetty9
Eclipse Jetty<=9.2.26
Eclipse Jetty>=9.3.0<9.3.24
Eclipse Jetty>=9.4.0<9.4.11
Debian Debian Linux=9.0
IBM Cognos Command Center<=10.2.4.1
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/...
Eclipse Jetty>=9.4.0<=9.4.8
Netapp E-series Santricity Management Plug-ins
NetApp E-Series SANtricity OS Controller>=11.0<=11.40
Netapp E-series Santricity Web Services Proxy
Netapp Element Software
Netapp Hyper Converged Infrastructure
and 6 more
Eclipse Jetty is vulnerable to HTTP request smuggling, caused by a flaw when handling more than one Content-Length headers. By sending a specially-crafted request, an attacker could exploit this vulne...
debian/jetty9
IBM Cognos Command Center<=10.2.4.1
Eclipse Jetty<=9.2.26
Eclipse Jetty>=9.3.0<9.3.24
Eclipse Jetty>=9.4.0<9.4.11
Debian Debian Linux=9.0
and 28 more

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203