Lucene search
+L

189 matches found

OSV
OSV
added 2021/04/06 5:31 p.m.16 views

GHSA-26VR-8J45-3R4W Jetty vulnerable to incorrect handling of invalid large TLS frame, exhausting CPU resources

Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large greater than 17408 TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. Workarounds The problem can be worked around by compiling the...

7.5CVSS7.2AI score0.53861EPSS
Exploits1References109
Veracode
Veracode
added 2021/04/05 8:18 a.m.49 views

Information Disclosure

jetty-server is vulnerable to information disclosure. The URI normalisation in default compliance mode does not escape % encoded characters in the request metadata by common Servlet implementations, allowing access to sensitive resources within the WEB-INF directory via the use of URI with %2e or...

5.3CVSS4.4AI score0.82371EPSS
Exploits7References45Affected Software4
OSV
OSV
added 2021/02/23 1:15 p.m.12 views

CVE-2020-14359

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers via cURL an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers e.g. Jetty. This means there is no protection when we put a Gatekeeper in front of a Jet...

7.3CVSS5.8AI score0.0093EPSS
Exploits0References2
Prion
Prion
added 2021/02/23 1:15 p.m.23 views

Design/Logic Flaw

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers via cURL an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers e.g. Jetty. This means there is no protection when we put a Gatekeeper in front of a Jet...

7.5CVSS7.1AI score0.0093EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2021/02/23 12:0 a.m.10 views

PT-2021-9721 · Red Hat +1 · Keycloak Gatekeeper +1

Name of the Vulnerable Software and Affected Versions: Keycloak Gatekeeper versions all Description: A vulnerability was found in Keycloak Gatekeeper where an attacker can bypass the Gatekeeper by using lower case HTTP headers, for example, via cURL. This issue is particularly problematic when th...

7.5CVSS7AI score0.0093EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2021/01/19 7:41 a.m.40 views

CVE-2020-14359

A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers via cURL an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers e.g. Jetty. This means there is no protection when we put a Gatekeeper in front of a Jet...

7.5CVSS2.5AI score0.0093EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2020/08/05 2:52 p.m.245 views

Operation on a Resource after Expiration or Release in Jetty Server

In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this doub...

9.4CVSS0.2AI score0.11138EPSS
Exploits0References22Affected Software1
Veracode
Veracode
added 2020/07/13 6:3 a.m.37 views

Information Disclosure

jetty-server is vulnerable to information disclosure. An HTTP 431 error occurs when large response headers are received, causing the HTTP response headers to be released to ByteBufferPool twice. This results in a double release and memory corruption and causes confidential information to be...

9.4CVSS1AI score0.11138EPSS
Exploits0References32Affected Software3
Veracode
Veracode
added 2020/07/08 3:25 a.m.14 views

Authorization Bypass

jetty-server is vulnerable to authorization bypass. The vulnerability exists as a buffer corruption could occur when the response buffer is too large, allowing the header buffer to be released, but not nulled, causing the server to send incorrect responses to different clients...

2.4AI score
Exploits0
RedHat Linux
RedHat Linux
added 2020/04/14 1:4 p.m.7 views

jetty: error path information disclosure

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches...

5.3CVSS7.2AI score0.05782EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2020/03/26 3:46 p.m.7 views

jetty: full server path revealed when using the default Error Handling

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a...

5.3CVSS7.2AI score0.04328EPSS
Exploits0References4
Veracode
Veracode
added 2019/12/03 2:53 a.m.25 views

Cross-Site Scripting (XSS)

jetty-server is vulnerable to cross-site scripting. The server response containing the default error message from stacktraces is not sanitized and escaped before being displayed, which would allow a remote attacker to inject arbitrary Javascript into a victim's browser...

6.1CVSS2.8AI score0.01905EPSS
Exploits0References8Affected Software1
ATTACKERKB
ATTACKERKB
added 2019/11/06 8:15 p.m.5 views

CVE-2009-5045

Dump Servlet information leak in jetty before 6.1.22...

7.5CVSS5.4AI score0.02299EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2019/11/06 7:15 p.m.4 views

CVE-2009-5048

Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20...

6.1CVSS5.4AI score0.01626EPSS
Exploits1References4
Veracode
Veracode
added 2019/04/23 2:9 a.m.37 views

Information Disclosure

jetty-server is vulnerable to information disclosure. The error page produced from DefaultHandler reveals the base resource directory of each context in the list of contexts...

5.3CVSS6.8AI score0.05782EPSS
Exploits0References25Affected Software3
OSV
OSV
added 2019/04/22 8:29 p.m.2 views

DEBIAN-CVE-2019-10247

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches...

5.3CVSS6.4AI score0.05782EPSS
Exploits0References1
OSV
OSV
added 2019/03/27 8:29 p.m.5 views

UBUNTU-CVE-2018-12545

In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory allocations require...

7.5CVSS6.7AI score0.05082EPSS
Exploits0References3
Veracode
Veracode
added 2018/11/12 7:38 a.m.27 views

CRLF Injection

Jetty Server is vulnerable to CRLF injection. A remote attacker is able to inject arbitrary HTTP headers into the server response to perform response splitting attacks via the reason string in AbstractGenerator.java...

5CVSS9.3AI score0.03597EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2018/10/19 4:16 p.m.39 views

GHSA-6X9X-8QW9-9PP6 Jetty vulnerable to authorization bypass due to inconsistent HTTP request handling (HTTP Request Smuggling)

Eclipse Jetty Server versions 9.2.x and older, 9.3.x all non HTTP/1.x configurations, and 9.4.x all HTTP/1.x configurations, are vulnerable to HTTP Request Smuggling when presented with two content-lengths headers, allowing authorization bypass. When presented with a content-length and a chunked...

9.8CVSS6.9AI score0.20985EPSS
Exploits0References18
OSV
OSV
added 2018/10/19 4:15 p.m.31 views

GHSA-9RGV-H7X4-QW8G Eclipse Jetty Server generates error message containing sensitive information

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a...

5.3CVSS7AI score0.04328EPSS
Exploits0References10
Rows per page
Query Builder