Eclipse Jetty.Project vulnerabilities
6 known vulnerabilities affecting eclipse/jetty.project.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM4LOW1
Vulnerabilities
Page 1 of 1
CVE-2023-36478HIGHCVSS 7.5v>= 10.0.0, < 10.0.16v>= 11.0.0, < 11.0.16+1 more2023-10-10
CVE-2023-36478 [HIGH] CWE-190 CVE-2023-36478: Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to
exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and thr
cvelistv5nvd
CVE-2023-41900MEDIUMCVSS 4.3v>= 9.4.21, <= 9.4.51v>= 10.0.0, <= 10.0.15+1 more2023-09-15
CVE-2023-41900 [LOW] CWE-1390 CVE-2023-41900: Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authent
cvelistv5nvd
CVE-2023-40167MEDIUMCVSS 5.3v>= 9.0.0, <= 9.4.51v>= 10.0.0, <= 10.0.15+2 more2023-09-15
CVE-2023-40167 [MEDIUM] CWE-130 CVE-2023-40167: Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scena
cvelistv5nvd
CVE-2023-36479LOWCVSS 3.1v>= 9.0.0, <= 9.4.51v>= 10.0.0, <= 10.0.15+2 more2023-09-15
CVE-2023-36479 [LOW] CWE-149 CVE-2023-36479: Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the C
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quota
cvelistv5nvd
CVE-2023-26048MEDIUMCVSS 5.3fixed in 9.4.51v>= 10.0.0, < 10.0.14+1 more2023-04-18
CVE-2023-26048 [MEDIUM] CWE-400 CVE-2023-26048: Jetty is a java based web server and servlet engine. In affected versions servlets with multipart su
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very
cvelistv5nvd
CVE-2023-26049MEDIUMCVSS 5.3fixed in 9.4.51v>= 10.0.0, < 10.0.14+2 more2023-04-18
CVE-2023-26049 [LOW] CWE-200 CVE-2023-26049: Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow a
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string unti
cvelistv5nvd