Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.eclipse.jetty/jetty-server@11.0.0
Typemaven
Namespaceorg.eclipse.jetty
Namejetty-server
Version11.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version11.0.14
Latest_non_vulnerable_version12.1.6
Affected_by_vulnerabilities
0
url VCID-3vps-uq7s-nfb7
vulnerability_id VCID-3vps-uq7s-nfb7
summary 
Improper Handling of Length Parameter Inconsistency
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.
references
0
reference_url https://www.rfc-editor.org/rfc/rfc9110#section-8.6
reference_id
reference_type
scores
url https://www.rfc-editor.org/rfc/rfc9110#section-8.6
1
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40167
reference_id CVE-2023-40167
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-40167
2
reference_url https://github.com/advisories/GHSA-hmr7-m48g-48f6
reference_id GHSA-hmr7-m48g-48f6
reference_type
scores
url https://github.com/advisories/GHSA-hmr7-m48g-48f6
3
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
reference_id GHSA-hmr7-m48g-48f6
reference_type
scores
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-hmr7-m48g-48f6
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
purl pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.16
1
url pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
purl pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
aliases CVE-2023-40167, GHSA-hmr7-m48g-48f6
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3vps-uq7s-nfb7
1
url VCID-bq5u-wuuv-m7au
vulnerability_id VCID-bq5u-wuuv-m7au
summary 
False positive
This vulnerability has been marked as a false positive.
references
0
reference_url https://github.com/eclipse/jetty.project/issues/9076
reference_id
reference_type
scores
url https://github.com/eclipse/jetty.project/issues/9076
1
reference_url https://github.com/eclipse/jetty.project/pull/9344
reference_id
reference_type
scores
url https://github.com/eclipse/jetty.project/pull/9344
2
reference_url https://github.com/eclipse/jetty.project/pull/9345
reference_id
reference_type
scores
url https://github.com/eclipse/jetty.project/pull/9345
3
reference_url https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
reference_id
reference_type
scores
url https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-26048
reference_id CVE-2023-26048
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-26048
5
reference_url https://github.com/advisories/GHSA-qw69-rqj8-6qw8
reference_id GHSA-qw69-rqj8-6qw8
reference_type
scores
url https://github.com/advisories/GHSA-qw69-rqj8-6qw8
6
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
reference_id GHSA-qw69-rqj8-6qw8
reference_type
scores
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-qw69-rqj8-6qw8
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
purl pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
aliases CVE-2023-26048, GHSA-qw69-rqj8-6qw8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bq5u-wuuv-m7au
2
url VCID-gua7-n9ne-t3hk
vulnerability_id VCID-gua7-n9ne-t3hk
summary 
Exposure of Sensitive Information to an Unauthorized Actor
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
references
0
reference_url https://github.com/eclipse/jetty.project/pull/9339
reference_id
reference_type
scores
url https://github.com/eclipse/jetty.project/pull/9339
1
reference_url https://github.com/eclipse/jetty.project/pull/9352
reference_id
reference_type
scores
url https://github.com/eclipse/jetty.project/pull/9352
2
reference_url https://www.rfc-editor.org/rfc/rfc2965
reference_id
reference_type
scores
url https://www.rfc-editor.org/rfc/rfc2965
3
reference_url https://www.rfc-editor.org/rfc/rfc6265
reference_id
reference_type
scores
url https://www.rfc-editor.org/rfc/rfc6265
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-26049
reference_id CVE-2023-26049
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-26049
5
reference_url https://github.com/advisories/GHSA-p26g-97m4-6q7c
reference_id GHSA-p26g-97m4-6q7c
reference_type
scores
url https://github.com/advisories/GHSA-p26g-97m4-6q7c
6
reference_url https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
reference_id GHSA-p26g-97m4-6q7c
reference_type
scores
url https://github.com/eclipse/jetty.project/security/advisories/GHSA-p26g-97m4-6q7c
fixed_packages
0
url pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
purl pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.14
1
url pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
purl pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@12.0.1
aliases CVE-2023-26049, GHSA-p26g-97m4-6q7c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gua7-n9ne-t3hk
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.eclipse.jetty/jetty-server@11.0.0