VulnerableCode Package Details - pkg:maven/org.eclipse.jetty/jetty-util@9.4.36.v20210114

Search for packages

Vulnerability	Summary	Fixed by
VCID-aasf-tb1p-mffs Aliases: CVE-2021-28163 GHSA-j6qj-j888-vvgq	Directory exposure in jetty ### Impact If the `${jetty.base}` directory or the `${jetty.base}/webapps` directory is a symlink (soft link in Linux), the contents of the `${jetty.base}/webapps` directory may be deployed as a static web application, exposing the content of the directory for download. For example, the problem manifests in the following `${jetty.base}`: ```$ tree demo-base/ demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy ``` ### Workarounds Do not use a symlink	9.4.39.v20210325 Affected by 0 other vulnerabilities. 10.0.2 Affected by 0 other vulnerabilities. 11.0.2 Affected by 0 other vulnerabilities.
VCID-c5aj-3a1x-bfhu Aliases: CVE-2021-28165 GHSA-26vr-8j45-3r4w	denial of service	9.4.39.v20210325 Affected by 0 other vulnerabilities. 10.0.2 Affected by 0 other vulnerabilities. 11.0.2 Affected by 0 other vulnerabilities.
VCID-s3d8-ywz4-17dt Aliases: CVE-2020-27223 GHSA-m394-8rww-3jr7	DOS vulnerability for Quoted Quality CSV headers ### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater	9.4.37.v20210219 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-aasf-tb1p-mffs
Aliases:
CVE-2021-28163
GHSA-j6qj-j888-vvgq

Directory exposure in jetty ### Impact If the `${jetty.base}` directory or the `${jetty.base}/webapps` directory is a symlink (soft link in Linux), the contents of the `${jetty.base}/webapps` directory may be deployed as a static web application, exposing the content of the directory for download. For example, the problem manifests in the following `${jetty.base}`: ```$ tree demo-base/ demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │ └── async-rest.war └── webapps -> deploy ``` ### Workarounds Do not use a symlink

9.4.39.v20210325
Affected by 0 other vulnerabilities.

10.0.2
Affected by 0 other vulnerabilities.

11.0.2
Affected by 0 other vulnerabilities.

VCID-c5aj-3a1x-bfhu
Aliases:
CVE-2021-28165
GHSA-26vr-8j45-3r4w

denial of service

9.4.39.v20210325
Affected by 0 other vulnerabilities.

10.0.2
Affected by 0 other vulnerabilities.

11.0.2
Affected by 0 other vulnerabilities.

VCID-s3d8-ywz4-17dt
Aliases:
CVE-2020-27223
GHSA-m394-8rww-3jr7

DOS vulnerability for Quoted Quality CSV headers ### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater

9.4.37.v20210219
Affected by 3 other vulnerabilities.

10.0.1
Affected by 2 other vulnerabilities.

11.0.1
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T17:57:30.726439+00:00	GitLab Importer	Affected by	VCID-c5aj-3a1x-bfhu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2021-28165.yml	37.0.0
2025-07-03T17:57:27.662608+00:00	GitLab Importer	Affected by	VCID-aasf-tb1p-mffs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2021-28163.yml	37.0.0
2025-07-03T17:55:04.833638+00:00	GitLab Importer	Affected by	VCID-s3d8-ywz4-17dt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2020-27223.yml	37.0.0
2025-07-03T13:56:02.133894+00:00	GitLab Importer	Affected by	VCID-s3d8-ywz4-17dt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2020-27223.yml	36.1.3