Search for packages
| purl | pkg:maven/org.eclipse.jetty/jetty-server@9.4.0 |
| Tags | Ghost |
| Next non-vulnerable version | 9.4.57.v20241219 |
| Latest non-vulnerable version | 12.1.6 |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6uhn-tn81-cyac
Aliases: CVE-2019-10246 GHSA-r28m-g6j9-r2h5 |
Information Exposure In Eclipse Jetty version, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. |
Affected by 9 other vulnerabilities. |
|
VCID-ahev-zdjd-gqg1
Aliases: CVE-2019-10241 GHSA-7vx9-xjhr-rw6h |
Cross-site Scripting Jetty server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the `DefaultServlet` or `ResourceHandler` that is configured for showing a Listing of directory contents. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-czhb-gqt2-17av
Aliases: CVE-2019-10247 GHSA-xc67-hjx6-cgg6 |
Information Exposure In Eclipse Jetty, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a `DefaultHandler`, which is responsible for reporting this error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context. |
Affected by 9 other vulnerabilities. |
|
VCID-dznb-x27e-kqan
Aliases: CVE-2017-9735 GHSA-wfcc-pff6-rgc5 |
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. |
Affected by 15 other vulnerabilities. |
|
VCID-kh4j-dvmk-akaz
Aliases: CVE-2018-12545 GHSA-h2f4-v4c4-6wx4 |
Uncontrolled Resource Consumption in org.eclipse.jetty:jetty-server In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. |
Affected by 11 other vulnerabilities. |
|
VCID-kvqz-fppe-d7fe
Aliases: CVE-2017-7658 GHSA-6x9x-8qw9-9pp6 |
Affected by 11 other vulnerabilities. |
|
|
VCID-kx4x-gnk4-yugu
Aliases: CVE-2024-13009 GHSA-q4rv-gq96-w7c5 |
**UNSUPPORTED WHEN ASSIGNED** GzipHandler causes part of request body to be seen as request body of a separate request In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. |
Affected by 0 other vulnerabilities. |
|
VCID-nyxu-ekhs-gyb5
Aliases: CVE-2020-27218 GHSA-86wm-rrjm-8wh8 |
Buffer not correctly recycled in Gzip Request inflation ### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content. |
Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-q54z-9km5-7bf3
Aliases: CVE-2018-12538 GHSA-mwcx-532g-8pq3 |
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. |
Affected by 15 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-u2b5-uyd6-fbh9
Aliases: CVE-2018-12536 GHSA-9rgv-h7x4-qw8g |
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system. |
Affected by 11 other vulnerabilities. |
|
VCID-znv6-77jf-v3gu
Aliases: CVE-2017-7656 GHSA-84q7-p226-4x5w |
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response. |
Affected by 11 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||