Eclipse Jetty vulnerabilities
45 known vulnerabilities affecting eclipse/jetty.
Total CVEs
45
CISA KEV
1
actively exploited
Public exploits
5
Exploited in wild
1
Severity breakdown
CRITICAL4HIGH18MEDIUM19LOW4
Vulnerabilities
Page 3 of 3
CVE-2017-7656HIGHCVSS 7.5≤ 9.2.26≥ 9.3.0, < 9.3.24+1 more2018-06-26
CVE-2017-7656 [HIGH] CWE-444 CVE-2017-7656: In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default confi
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary tha
nvd
CVE-2018-12538HIGHCVSS 8.8≥ 9.4.0, ≤ 9.4.82018-06-22
CVE-2018-12538 [HIGH] CWE-6 CVE-2018-12538: In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDat
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
nvd
CVE-2017-9735HIGHCVSS 7.5fixed in 9.2.22≥ 9.3.0, < 9.3.20+1 more2017-06-16
CVE-2017-9735 [HIGH] CWE-203 CVE-2017-9735: Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easi
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
nvd
CVE-2016-4800CRITICALCVSS 9.8v9.3.0v9.3.1+7 more2017-04-13
CVE-2016-4800 [CRITICAL] CWE-284 CVE-2016-4800: The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Window
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
nvd
CVE-2015-2080HIGHCVSS 7.5PoCv9.2.3v9.2.4+5 more2016-10-07
CVE-2015-2080 [HIGH] CWE-200 CVE-2015-2080: The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtai
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
nvd
← Previous3 / 3