Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.eclipse.jetty/jetty-server@9.0.0

Type maven

Namespace org.eclipse.jetty

Name jetty-server

Version 9.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 9.4.57.v20241219

Latest_non_vulnerable_version 12.1.6

Affected_by_vulnerabilities

url VCID-1ceb-5aaj-zbfn

vulnerability_id VCID-1ceb-5aaj-zbfn

summary

Information Exposure
When an intentionally bad query arrives that does not match a dynamic url-pattern, and is eventually handled by the `DefaultServlet` static file serving, the bad characters can trigger a `java.nio.file.InvalidPathException` which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this `InvalidPathException` is then handled by the default Error Handler, the `InvalidPathException` message is included in the error response, revealing the full server path to the requesting system.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12536.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-12536.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-12536

reference_id

reference_type

scores

value	0.0351
scoring_system	epss
scoring_elements	0.8786
published_at	2026-06-05T12:55:00Z

value	0.0351
scoring_system	epss
scoring_elements	0.87838
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-12536

reference_url

https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536

reference_url

https://github.com/eclipse/jetty.project

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project

reference_url	https://github.com/eclipse/jetty.project/commit/53e8bc2a636707e896fd106fbee3596823c2cdc
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project/commit/53e8bc2a636707e896fd106fbee3596823c2cdc

reference_url	https://github.com/eclipse/jetty.project/commit/a51920d650d924cc2cea011995624b394437c6e
reference_id
reference_type
scores
url	https://github.com/eclipse/jetty.project/commit/a51920d650d924cc2cea011995624b394437c6e

reference_url

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.apache.org/thread.html/053d9ce4d579b02203db18545fee5e33f35f2932885459b74d1e4272@%3Cissues.activemq.apache.org%3E

reference_url

https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2021/05/msg00016.html

reference_url

https://security.netapp.com/advisory/ntap-20181014-0001

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20181014-0001

reference_url	https://security.netapp.com/advisory/ntap-20181014-0001/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20181014-0001/

reference_url

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03953en_us

reference_url

https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20200516001904/http://www.securitytracker.com/id/1041194

reference_url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuoct2020.html

reference_url

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

reference_url	http://www.securitytracker.com/id/1041194
reference_id
reference_type
scores
url	http://www.securitytracker.com/id/1041194

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1597418
reference_id	1597418
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1597418

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902774
reference_id	902774
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=902774

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-12536

reference_id

CVE-2018-12536

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-12536

reference_url

https://github.com/advisories/GHSA-9rgv-h7x4-qw8g

reference_id

GHSA-9rgv-h7x4-qw8g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9rgv-h7x4-qw8g

reference_url	https://access.redhat.com/errata/RHSA-2020:0983
reference_id	RHSA-2020:0983
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:0983

fixed_packages

url pkg:maven/org.eclipse.jetty/jetty-server@9.2.27.v20190403

purl pkg:maven/org.eclipse.jetty/jetty-server@9.2.27.v20190403

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2p9t-s37z-b7ac

vulnerability	VCID-3k1u-qrwz-ubgu

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-9an6-1me1-97fc

vulnerability	VCID-bq5u-wuuv-m7au

vulnerability	VCID-emr9-k9h1-vkeb

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-hwnn-v58k-93hp

vulnerability	VCID-p2fr-edcy-47ct

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.2.27.v20190403

url pkg:maven/org.eclipse.jetty/jetty-server@9.3.24.v20180605

purl pkg:maven/org.eclipse.jetty/jetty-server@9.3.24.v20180605

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2p9t-s37z-b7ac

vulnerability	VCID-3k1u-qrwz-ubgu

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-9an6-1me1-97fc

vulnerability	VCID-9qyq-hht8-nqgz

vulnerability	VCID-bq5u-wuuv-m7au

vulnerability	VCID-f9tf-uebt-kqcy

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-p2fr-edcy-47ct

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.3.24.v20180605

url pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605

purl pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2p9t-s37z-b7ac

vulnerability	VCID-3k1u-qrwz-ubgu

vulnerability	VCID-3vps-uq7s-nfb7

vulnerability	VCID-9an6-1me1-97fc

vulnerability	VCID-9qyq-hht8-nqgz

vulnerability	VCID-bq5u-wuuv-m7au

vulnerability	VCID-gua7-n9ne-t3hk

vulnerability	VCID-jktf-sads-m7ca

vulnerability	VCID-k829-sb45-hba9

vulnerability	VCID-p2fr-edcy-47ct

vulnerability	VCID-r7rk-5z6r-33a1

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.4.11.v20180605

aliases CVE-2018-12536, GHSA-9rgv-h7x4-qw8g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1ceb-5aaj-zbfn

url VCID-3vps-uq7s-nfb7

vulnerability_id VCID-3vps-uq7s-nfb7

summary

Improper Handling of Length Parameter Inconsistency
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40167.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-40167

reference_id

reference_type

scores

value	0.04575
scoring_system	epss
scoring_elements	0.89418
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-40167

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26048

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26049

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36479

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40167

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41900

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/eclipse/jetty.project

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/eclipse/jetty.project

reference_url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/

url

https://lists.debian.org/debian-lts-announce/2023/09/msg00039.html

reference_url

https://www.debian.org/security/2023/dsa-5507

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/

url

https://www.debian.org/security/2023/dsa-5507

reference_url

https://www.rfc-editor.org/rfc/rfc9110#section-8.6

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/

url

https://www.rfc-editor.org/rfc/rfc9110#section-8.6

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2239634
reference_id	2239634
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2239634

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-40167

reference_id

CVE-2023-40167

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-40167

reference_url	https://github.com/advisories/GHSA-hmr7-m48g-48f6
reference_id	GHSA-hmr7-m48g-48f6
reference_type
scores
url	https://github.com/advisories/GHSA-hmr7-m48g-48f6

reference_url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6

reference_id

GHSA-hmr7-m48g-48f6

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-25T18:49:57Z/

url

https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6

reference_url	https://access.redhat.com/errata/RHSA-2023:5441
reference_id	RHSA-2023:5441
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5441

reference_url	https://access.redhat.com/errata/RHSA-2023:5780
reference_id	RHSA-2023:5780
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5780

reference_url	https://access.redhat.com/errata/RHSA-2023:5946
reference_id	RHSA-2023:5946
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:5946

reference_url	https://access.redhat.com/errata/RHSA-2023:7247
reference_id	RHSA-2023:7247
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7247

reference_url	https://access.redhat.com/errata/RHSA-2023:7678
reference_id	RHSA-2023:7678
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7678

reference_url	https://access.redhat.com/errata/RHSA-2023:7697
reference_id	RHSA-2023:7697
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:7697

reference_url	https://access.redhat.com/errata/RHSA-2024:0778
reference_id	RHSA-2024:0778
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0778

reference_url	https://access.redhat.com/errata/RHSA-2024:0797
reference_id	RHSA-2024:0797
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:0797

fixed_packages

url pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823

purl pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jktf-sads-m7ca

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.4.52.v20230823

url	pkg:maven/org.eclipse.jetty/jetty-server@10.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-server@10.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@10.0.16

url	pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
purl	pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.16

url	pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
purl	pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.1

aliases CVE-2023-40167, GHSA-hmr7-m48g-48f6

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3vps-uq7s-nfb7

Fixing_vulnerabilities

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@9.0.0

Package Instance