Eclipse Foundation Jetty vulnerabilities

6 known vulnerabilities affecting eclipse_foundation/jetty.

Total CVEs

6

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH3MEDIUM3

Vulnerabilities

Page 1 of 1

CVE-2025-1948HIGHCVSS 7.5≥ 12.0.0, ≤ 12.0.162025-05-08

CVE-2025-1948 [HIGH] CWE-400 CVE-2025-1948: In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large valu In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to encode HTTP responses, likely resulting in OutOfMemoryE

CVE-2024-13009HIGHCVSS 7.2≥ 9.4.0, ≤ 9.4.562025-05-08

CVE-2024-13009 [HIGH] CWE-404 CVE-2024-13009: In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

CVE-2024-9823HIGHCVSS 7.5≥ 9.0.0, < 9.4.54≥ 10.0.0, < 10.0.18+1 more2024-10-14

CVE-2024-9823 [MEDIUM] CWE-400 CVE-2024-9823: There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized us There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

CVE-2024-6762MEDIUMCVSS 6.5≥ 10.0.0, ≤ 10.0.17≥ 11.0.0, ≤ 11.0.17+1 more2024-10-14

CVE-2024-6762 [LOW] CWE-400 CVE-2024-6762: Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

CVE-2024-8184MEDIUMCVSS 6.5≥ 9.3.12, ≤ 9.4.55≥ 10.0.0, ≤ 10.0.23+2 more2024-10-14

CVE-2024-8184 [MEDIUM] CWE-400 CVE-2024-8184: There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploit There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

CVE-2024-6763MEDIUMCVSS 5.3≥ 7.0.0, ≤ 12.0.112024-10-14

CVE-2024-6763 [LOW] CWE-1286 CVE-2024-6763: Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It inclu Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invali