VulnerableCode Package Details - pkg:deb/debian/jetty9@9.4.48-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-dvyn-8phs-a3a6	Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service ### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.	CVE-2022-2048 GHSA-wgmr-mf83-7x4j
VCID-tqm9-4ch7-s7b3	Jetty invalid URI parsing may produce invalid HttpURI.authority ### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.	CVE-2022-2047 GHSA-cj7v-27pg-wf7q

Vulnerability

Summary

Aliases

VCID-dvyn-8phs-a3a6

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service ### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.

CVE-2022-2048
GHSA-wgmr-mf83-7x4j

VCID-tqm9-4ch7-s7b3

Jetty invalid URI parsing may produce invalid HttpURI.authority ### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.

CVE-2022-2047
GHSA-cj7v-27pg-wf7q

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:56:38.677943+00:00	Debian Importer	Fixing	VCID-tqm9-4ch7-s7b3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:23:52.209642+00:00	Debian Importer	Fixing	VCID-dvyn-8phs-a3a6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:25:17.434592+00:00	Debian Importer	Fixing	VCID-tqm9-4ch7-s7b3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:16:24.144175+00:00	Debian Importer	Fixing	VCID-dvyn-8phs-a3a6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:27:50.622258+00:00	Debian Importer	Fixing	VCID-dvyn-8phs-a3a6	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:27:50.574364+00:00	Debian Importer	Fixing	VCID-tqm9-4ch7-s7b3	https://security-tracker.debian.org/tracker/data/json	38.1.0