Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:deb/debian/jetty9@9.4.39-2?distro=trixie
purl pkg:deb/debian/jetty9@9.4.39-2?distro=trixie
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (2)
Vulnerability Summary Aliases
VCID-g3ff-brt6-vkeh Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty. CVE-2021-28169
GHSA-gwcr-j4wh-j3cq
VCID-q35p-8qhp-aqec SessionListener can prevent a session from being invalidated breaking logout ### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations. CVE-2021-34428
GHSA-m6cp-vxjx-65j6

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T11:53:49.188235+00:00 Debian Importer Fixing VCID-g3ff-brt6-vkeh https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-16T10:28:03.858513+00:00 Debian Importer Fixing VCID-q35p-8qhp-aqec https://security-tracker.debian.org/tracker/data/json 38.4.0
2026-04-13T08:07:17.270512+00:00 Debian Importer Fixing VCID-g3ff-brt6-vkeh https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-13T07:03:47.797653+00:00 Debian Importer Fixing VCID-q35p-8qhp-aqec https://security-tracker.debian.org/tracker/data/json 38.3.0
2026-04-03T07:27:50.479152+00:00 Debian Importer Fixing VCID-q35p-8qhp-aqec https://security-tracker.debian.org/tracker/data/json 38.1.0
2026-04-03T07:27:50.429903+00:00 Debian Importer Fixing VCID-g3ff-brt6-vkeh https://security-tracker.debian.org/tracker/data/json 38.1.0