Search for packages
Package details: pkg:maven/org.eclipse.jetty/jetty-util@9.4.37.v20210219
purl pkg:maven/org.eclipse.jetty/jetty-util@9.4.37.v20210219
Next non-vulnerable version 9.4.39.v20210325
Latest non-vulnerable version 12.0.1
Risk 10.0
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-9c5g-tr32-t3d6
Aliases:
CVE-2021-28164
GHSA-v7ff-8wcx-gmc5
Authorization Before Parsing and Canonicalization in jetty Release 9.4.37 introduced a more precise implementation of [RFC3986](https://tools.ietf.org/html/rfc3986#section-3.3) with regards to URI decoding, together with some new compliance modes to optionally allow support of some URI that may have ambiguous interpretation within the Servlet specified API methods behaviours. The default mode allowed % encoded . characters to be excluded for URI normalisation, which is correct by the RFC, but is not assumed by common Servlet implementations. The default compliance mode allows requests with URIs that contain `%2e` or `%2e%2e` segments to access protected resources within the `WEB-INF` directory. For example a request to `/context/%2e/WEB-INF/web.xml` can retrieve the `web.xml` file. This can reveal sensitive information regarding the implementation of a web application. Workarounds found by HttpCompliance mode RFC7230_NO_AMBIGUOUS_URIS can be enabled by updating `start.d/http.ini` to include: jetty.http.compliance=RFC7230_NO_AMBIGUOUS_URIS.
9.4.38.v20210224
Affected by 2 other vulnerabilities.
VCID-aasf-tb1p-mffs
Aliases:
CVE-2021-28163
GHSA-j6qj-j888-vvgq
Directory exposure in jetty ### Impact If the `${jetty.base}` directory or the `${jetty.base}/webapps` directory is a symlink (soft link in Linux), the contents of the `${jetty.base}/webapps` directory may be deployed as a static web application, exposing the content of the directory for download. For example, the problem manifests in the following `${jetty.base}`: ```$ tree demo-base/ demo-base/ ├── etc ├── lib ├── resources ├── start.d ├── deploy │   └── async-rest.war └── webapps -> deploy ``` ### Workarounds Do not use a symlink
9.4.39.v20210325
Affected by 0 other vulnerabilities.
10.0.2
Affected by 0 other vulnerabilities.
11.0.2
Affected by 0 other vulnerabilities.
VCID-c5aj-3a1x-bfhu
Aliases:
CVE-2021-28165
GHSA-26vr-8j45-3r4w
denial of service
9.4.39.v20210325
Affected by 0 other vulnerabilities.
10.0.2
Affected by 0 other vulnerabilities.
11.0.2
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-s3d8-ywz4-17dt DOS vulnerability for Quoted Quality CSV headers ### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater CVE-2020-27223
GHSA-m394-8rww-3jr7

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-03T17:57:30.794365+00:00 GitLab Importer Affected by VCID-9c5g-tr32-t3d6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2021-28164.yml 37.0.0
2025-07-03T17:57:30.728268+00:00 GitLab Importer Affected by VCID-c5aj-3a1x-bfhu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2021-28165.yml 37.0.0
2025-07-03T17:57:27.664496+00:00 GitLab Importer Affected by VCID-aasf-tb1p-mffs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2021-28163.yml 37.0.0
2025-07-03T17:55:04.835889+00:00 GitLab Importer Fixing VCID-s3d8-ywz4-17dt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2020-27223.yml 37.0.0
2025-07-03T13:56:02.153999+00:00 GitLab Importer Fixing VCID-s3d8-ywz4-17dt https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.eclipse.jetty/jetty-util/CVE-2020-27223.yml 36.1.3