Debian Jetty9 vulnerabilities

CVE-2021-34429 [MEDIUM] CVE-2021-34429: jetty9 - For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs ca... For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5. Scope: local bookworm: resolved (fixed in 9.4.39-3) bullseye: resol

CVE-2021-28169 [MEDIUM] CVE-2021-28169: jetty9 - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for r... For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web applicat

CVE-2021-28164 [MEDIUM] CVE-2021-28164: jetty9 - In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mo... In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web a

CVE-2021-34428 [LOW] CVE-2021-34428: jetty9 - For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is t... For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared co

CVE-2021-28163 [LOW] CVE-2021-28163: jetty9 - In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 1... In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory. Scope: local bookworm: resolved (fixed in 9.4.39-1) bullseye: r

CVE-2020-27216 [HIGH] CVE-2020-27216: jetty9 - In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.b... In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creatio

CVE-2020-27223 [MEDIUM] CVE-2020-27223: jetty9 - In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11... In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing th

CVE-2020-27218 [MEDIUM] CVE-2020-27218: jetty9 - In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.... In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subse

CVE-2019-17638 [CRITICAL] CVE-2019-17638: jetty9 - In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too ... In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the poo

CVE-2019-17632 [MEDIUM] CVE-2019-17632: jetty9 - In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v201911... In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. Scope: local bookworm: resolved (fixed in 9.4.26-1) bullseye: resolved (fixed in 9.4.26-1) forky: resolved

CVE-2019-10241 [MEDIUM] CVE-2019-10241: jetty9 - In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and olde... In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. Scope: local bookworm: resolved (fixed in 9.4.18-2) bullseye: resolved (fixed in

CVE-2019-10247 [MEDIUM] CVE-2019-10247: jetty9 - In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.1... In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution

CVE-2019-10246 [MEDIUM] CVE-2019-10246: jetty9 - In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windo... In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories. Scope:

CVE-2018-12536 [MEDIUM] CVE-2018-12536: jetty9 - In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Err... In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource dir

CVE-2018-12538 [HIGH] CVE-2018-12538: jetty9 - In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty pro... In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore. Scope: local bookworm: resolved bullse

CVE-2018-12545 [HIGH] CVE-2018-12545: jetty9 - In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of ... In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations required to handle changed settings. Scope: local bookworm: resolved bullseye:

CVE-2017-9735 [HIGH] CVE-2017-9735: jetty9 - Jetty through 9.4.x is prone to a timing channel in util/security/Password.java,... Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. Scope: local bookworm: resolved (fixed in 9.2.22-1) bullseye: resolved (fixed in 9.2.22-1) forky: resolved (fixed in 9.2.22-1) sid: resolved (fixed in 9.2.22-1) t

CVE-2017-7657 [CRITICAL] CVE-2017-7657: jetty9 - In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.... In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interp

CVE-2017-7658 [CRITICAL] CVE-2017-7658: jetty9 - In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x confi... In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter

CVE-2017-7656 [HIGH] CVE-2017-7656: jetty9 - In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.... In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted