cbcvebase.

Eclipse Jetty vulnerabilities

48 known vulnerabilities affecting eclipse/jetty.

Total CVEs
48
CISA KEV
1
actively exploited
Public exploits
5
Exploited in wild
3
Severity breakdown
CRITICAL5HIGH19MEDIUM20LOW4

Vulnerabilities

Page 3 of 3
CVE-2011-4461P4MEDIUMCVSS 5.3≥ 0, < 6.1.26-1ubuntu12011-12-29
CVE-2011-4461 [MEDIUM] CVE-2011-4461: Jetty 8 Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
osv
CVE-2019-17632P4MEDIUMCVSS 6.1v9.4.21v9.4.22+1 more2019-11-25
CVE-2019-17632 [MEDIUM] CWE-79 CVE-2019-17632: In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation o In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
nvd
CVE-2023-41900P4MEDIUMCVSS 4.3≥ 9.4.21, < 9.4.52≥ 10.0.0, < 10.0.16+1 more2023-09-15
CVE-2023-41900 [MEDIUM] CWE-1390 CVE-2023-41900: Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11 Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as auth
nvd
CVE-2009-5046P4MEDIUMCVSS 6.1fixed in 6.1.222019-11-06
CVE-2009-5046 [MEDIUM] CWE-79 CVE-2009-5046: JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22. JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
nvd
CVE-2021-28163P4LOWCVSS 2.7≥ 9.4.32, < 9.4.39v10.0.0+3 more2021-04-01
CVE-2021-28163 [LOW] CWE-200 CVE-2021-28163: In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user use In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
nvd
CVE-2023-36479P4LOWCVSS 3.1≥ 9.0.0, < 9.4.52≥ 10.0.0, < 10.0.16+2 more2023-09-15
CVE-2023-36479 [LOW] CWE-149 CVE-2023-36479: Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the C Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quota
nvd
CVE-2021-34428P4LOWCVSS 3.5≤ 9.4.40≥ 10.0.0, ≤ 10.0.2+1 more2021-06-22
CVE-2021-34428 [LOW] CWE-613 CVE-2021-34428: For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the Sessi For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application use
nvd
CVE-2022-2047P4LOWCVSS 2.7fixed in 9.4.46≥ 10.0.0, < 10.0.9+1 more2022-07-07
CVE-2022-2047 [LOW] CWE-20 CVE-2022-2047: In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.
nvd
Eclipse Jetty vulnerabilities | cvebase