Debian Jetty9 vulnerabilities

CVE-2025-5115 [HIGH] CVE-2025-5115: jetty12 - In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.a... In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a client can open a str

CVE-2025-1948 [HIGH] CVE-2025-1948: jetty12 - In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can speci... In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryError being thro

CVE-2025-11143 [LOW] CVE-2025-11143: jetty12 - The Jetty URI parser has some key differences to other common parsers when evalu... The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the URIs differently from one that generates a response. At the very least, differential parsin

CVE-2024-22201 [HIGH] CVE-2024-22201: jetty9 - Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection th... Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is pa

CVE-2024-8184 [MEDIUM] CVE-2024-8184: jetty9 - There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() ... There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. Scope: local bookworm: resolved (fixed in 9.4.57-0+deb12u1) bullseye: resolved (fi

CVE-2024-9823 [MEDIUM] CVE-2024-9823: jetty9 - There exists a security vulnerability in Jetty's DosFilter which can be exploite... There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally. Scope: local bookworm: resolved (fixed in 9.4.57-0+deb12u1) bulls

CVE-2024-6763 [LOW] CVE-2024-6763: jetty9 - Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servl... Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validat

CVE-2024-13009 [HIGH] CVE-2024-13009: jetty12 - In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released w... In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. Scope: local forky: resolved sid: resolved trixie: resolved

CVE-2024-6762 [LOW] CVE-2024-6762: jetty9 - Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launc... Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. Scope: local bookworm: resolved (fixed in 9.4.57-0+deb12u1) bullseye: resolved (fixed in 9.4.57-0+deb11u1) forky: resolved (fixed in 9.4.54-1) sid: resolved (fixed in 9.4.54-1) trixie: resolved (fixed in 9.4.54-1)

CVE-2023-44487 [HIGH] CVE-2023-44487: dnsdist - The HTTP/2 protocol allows a denial of service (server resource consumption) bec... The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. Scope: local bookworm: open bullseye: open forky: resolved (fixed in 1.8.2-2) sid: resolved (fixed in 1.8.2-2) trixie: resolved (fixed in 1.8.2-2)

CVE-2023-36478 [HIGH] CVE-2023-36478: jetty9 - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 th... Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception

CVE-2023-40167 [MEDIUM] CVE-2023-40167: jetty9 - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 1... Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is c

CVE-2023-26048 [MEDIUM] CVE-2023-26048: jetty9 - Jetty is a java based web server and servlet engine. In affected versions servle... Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content.

CVE-2023-41900 [LOW] CVE-2023-41900: jetty9 - Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4... Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authe

CVE-2023-26049 [LOW] CVE-2023-26049: jetty9 - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing ... Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a clos

CVE-2023-36479 [LOW] CVE-2023-36479: jetty9 - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty pro... Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This

CVE-2022-2048 [HIGH] CVE-2022-2048: jetty9 - In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP... In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests. Scope: local bookworm: resolved (fixed in 9.4.

CVE-2022-2047 [LOW] CVE-2022-2047: jetty9 - In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 ... In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario. Scope: local bookworm: resolved (fixed in 9.4.48-1) bullseye: resolved (fixed in 9.4.39-

CVE-2022-2191 [HIGH] CVE-2022-2191: jetty9 - In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, S... In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2021-28165 [HIGH] CVE-2021-28165: jetty9 - In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to ... In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Scope: local bookworm: resolved (fixed in 9.4.39-1) bullseye: resolved (fixed in 9.4.39-1) forky: resolved (fixed in 9.4.39-1) sid: resolved (fixed in 9.4.39-1) trixie: resolved (fixed in 9.4.39-1)