cbcvebase.

Eclipse Jetty vulnerabilities

48 known vulnerabilities affecting eclipse/jetty.

Total CVEs
48
CISA KEV
1
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL5HIGH19MEDIUM20LOW4

Vulnerabilities

Page 1 of 3
CVE-2023-44487P1HIGHCVSS 7.5KEVPoCfixed in 9.4.53≥ 10.0.0, < 10.0.17+2 more2023-10-10
CVE-2023-44487 [HIGH] CWE-400 CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancell The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
nvd
CVE-2021-34429P1MEDIUMCVSS 5.3ExploitedPoC≥ 9.4.37, < 9.4.43≥ 10.0.1, < 10.0.6+1 more2021-07-15
CVE-2021-34429 [MEDIUM] CVE-2021-34429: For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using s For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.
nvd
CVE-2021-28169P2MEDIUMCVSS 5.3ExploitedPoCfixed in 9.4.41≥ 10.0.0, < 10.0.3+1 more2021-06-09
CVE-2021-28169 [MEDIUM] CWE-200 CVE-2021-28169: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the Conca For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation o
nvd
CVE-2015-2080P2HIGHCVSS 7.5PoCv9.2.3v9.2.4+5 more2016-10-07
CVE-2015-2080 [HIGH] CWE-200 CVE-2015-2080: The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtai The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
nvd
CVE-2021-28164P2MEDIUMCVSS 5.3PoCv9.4.37v9.4.382021-04-01
CVE-2021-28164 [MEDIUM] CWE-200 CVE-2021-28164: In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests w In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implement
nvd
CVE-2017-7657P2CRITICALCVSS 9.8≤ 9.2.26≥ 9.3.0, < 9.3.24+1 more2018-06-26
CVE-2017-7657 [CRITICAL] CWE-444 CVE-2017-7657: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default confi In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body
nvd
CVE-2017-7658P2CRITICALCVSS 9.8≤ 9.2.26≥ 9.3.0, < 9.3.24+1 more2018-06-26
CVE-2017-7658 [CRITICAL] CWE-444 CVE-2017-7658: In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4. In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decide
nvd
CVE-2021-28165P3HIGHCVSS 7.5≥ 7.2.2, < 9.4.39≥ 10.0.0, < 10.0.2+1 more2021-04-01
CVE-2021-28165 [HIGH] CWE-400 CVE-2021-28165: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage ca In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
nvd
CVE-2019-17638P2CRITICALCVSS 9.4v9.4.27v9.4.28+1 more2020-07-09
CVE-2019-17638 [CRITICAL] CWE-672 CVE-2019-17638: In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response heade In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuf
nvd
CVE-2020-27223P3MEDIUMCVSS 5.3≥ 9.4.7, < 9.4.36v9.4.6+3 more2021-02-26
CVE-2020-27223 [MEDIUM] CWE-407 CVE-2020-27223: In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty hand In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhaust
nvd
CVE-2016-4800P3CRITICALCVSS 9.8v9.3.0v9.3.1+7 more2017-04-13
CVE-2016-4800 [CRITICAL] CWE-284 CVE-2016-4800: The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Window The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
nvd
CVE-2026-2332P3CRITICALCVSS 9.1≥ 9.4.0, < 9.4.60≥ 10.0.0, < 10.0.28+3 more2026-04-14
CVE-2026-2332 [CRITICAL] CWE-444 CVE-2026-2332: In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are u In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty terminates chunk extension parsing at \r\n inside quoted strings instead of treat
nvd
CVE-2018-12538P3HIGHCVSS 8.8≥ 9.4.0, ≤ 9.4.82018-06-22
CVE-2018-12538 [HIGH] CWE-6 CVE-2018-12538: In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDat In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
nvd
CVE-2026-5795P3HIGHCVSS 7.4≥ 9.4.0, ≤ 9.4.58≥ 10.0.0, ≤ 10.0.26+3 more2026-04-08
CVE-2026-5795 [HIGH] CWE-226 CVE-2026-5795: In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two Th In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent request using the same thread inherits the ThreadLocal value
nvd
CVE-2017-9735P3HIGHCVSS 7.5fixed in 9.2.22≥ 9.3.0, < 9.3.20+1 more2017-06-16
CVE-2017-9735 [HIGH] CWE-203 CVE-2017-9735: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easi Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
nvd
CVE-2017-7656P3HIGHCVSS 7.5≤ 9.2.26≥ 9.3.0, < 9.3.24+1 more2018-06-26
CVE-2017-7656 [HIGH] CWE-444 CVE-2017-7656: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default confi In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary tha
nvd
CVE-2025-5115P3HIGHCVSS 7.5≥ 9.3.0, ≤ 9.4.57≥ 10.0.0, ≤ 10.0.25+3 more2025-08-20
CVE-2025-5115 [HIGH] CWE-400 CVE-2025-5115: In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 cli In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing the server to consume resources such as CPU and memory. For example, a clie
nvd
CVE-2026-1605P3HIGHCVSS 7.5≥ 12.0.0, < 12.0.32≥ 12.1.0, < 12.1.62026-03-05
CVE-2026-1605 [HIGH] CWE-400 CVE-2026-1605: In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerabili In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated for decompressing the request, but it is not released because the release m
nvd
CVE-2023-36478P3HIGHCVSS 7.5≥ 9.3.0, < 9.4.53≥ 10.0.0, < 10.0.16+1 more2023-10-10
CVE-2023-36478 [HIGH] CWE-190 CVE-2023-36478: Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0. Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and thr
nvd
CVE-2024-22201P3HIGHCVSS 7.5≥ 9.3.0, < 9.4.54≥ 10.0.0, < 10.0.20+2 more2024-02-26
CVE-2024-22201 [HIGH] CWE-400 CVE-2024-22201: Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established an Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vul
nvd
Eclipse Jetty vulnerabilities | cvebase