Search for packages
| purl | pkg:maven/org.eclipse.jetty/jetty-server@9.3.0 |
| Tags | Ghost |
| Next non-vulnerable version | 9.4.57.v20241219 |
| Latest non-vulnerable version | 12.1.6 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-12gq-ezut-ckhz
Aliases: CVE-2017-7657 GHSA-vgg8-72f2-qm23 |
Affected by 9 other vulnerabilities. |
|
|
VCID-6uhn-tn81-cyac
Aliases: CVE-2019-10246 GHSA-r28m-g6j9-r2h5 |
Information Exposure In Eclipse Jetty version, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. |
Affected by 6 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-ahev-zdjd-gqg1
Aliases: CVE-2019-10241 GHSA-7vx9-xjhr-rw6h |
Cross-site Scripting Jetty server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the `DefaultServlet` or `ResourceHandler` that is configured for showing a Listing of directory contents. |
Affected by 8 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-czhb-gqt2-17av
Aliases: CVE-2019-10247 GHSA-xc67-hjx6-cgg6 |
Information Exposure In Eclipse Jetty, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a `DefaultHandler`, which is responsible for reporting this error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. |
Affected by 6 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-dznb-x27e-kqan
Aliases: CVE-2017-9735 GHSA-wfcc-pff6-rgc5 |
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. |
Affected by 12 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-kh4j-dvmk-akaz
Aliases: CVE-2018-12545 GHSA-h2f4-v4c4-6wx4 |
Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. |
Affected by 8 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-kvqz-fppe-d7fe
Aliases: CVE-2017-7658 GHSA-6x9x-8qw9-9pp6 |
Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
|
VCID-r725-4tby-87f2
Aliases: CVE-2016-4800 GHSA-872g-2h8h-362q |
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. |
Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-u2b5-uyd6-fbh9
Aliases: CVE-2018-12536 GHSA-9rgv-h7x4-qw8g |
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. |
Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-znv6-77jf-v3gu
Aliases: CVE-2017-7656 GHSA-84q7-p226-4x5w |
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. |
Affected by 9 other vulnerabilities. Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||