Astra Linux - уязвимость в jetty9

In Eclipse Jetty versions 1.0 through 9.4.32.v20200930, 10.0.0alpha1 through 10.0.0.beta2, and 11.0.0alpha1 through 11.0.0.beta2O, on Unix-like systems, the system’s temporary directory is shared among all users on that system. A collocated user can observe the process of creating a temporary...

CVE-2026-5795

In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent reques...

Security Bulletin: IBM Storage Protect Server is affected by vulnerabilities in the Eclipse Jetty web server library that could lead to denial-of-service due to issues in certificate and protocol handling (CVE-2024-6763, CVE-2024-8184).

Summary IBM Storage Protect Server uses the Eclipse Jetty web server library in certain components. Vulnerabilities related to certificate and protocol handling in the Jetty library may allow specially crafted requests to trigger denial-of-service conditions in applications using the affected...

Security Bulletin: IBM Operational Decision Manager for December 2025 - Multiple CVEs addressed

Summary IBM Operational Decision Manager is vulnerable to multiple remote code execution and denial of service attacks in third party and open source used in the product for various functions. See full list below. The vulnerabilities have been addressed Vulnerability Details CVEID:CVE-2025-58056...

EUVD-2023-1360

Malicious code in bioql PyPI...

EUVD-2023-2569

Malicious code in bioql PyPI...

EUVD-2024-0716

Malicious code in bioql PyPI...

EUVD-2023-2523

Malicious code in bioql PyPI...

com.atlan:package-toolkit-testing (>=5.3.1 <=6.1.2), com.buschmais.jqassistant.cli:jqassistant-commandline-neo4jv5 (>=2.6.0 <=2.8.0) +750 more potentially affected by CVE-2025-1948 via org.eclipse.jetty.http2:jetty-http2-common (>=12.0.0 <=12.0.16)

org.eclipse.jetty.http2:jetty-http2-common MAVEN version =12.0.0, =5.3.1, =2.6.0, =1.41.1, =1.1.18, =2.0.20, =3.0.0, =3.0.2, =3.0.0, =4.0.0, =4.0.0, =4.0.0, =4.0.0-A1, =4.0.0-A1, =4.0.0-A1, =4.1.0, =4.2.1 and more Source cves: CVE-2025-1948 Source advisory: SNYK:JAVA-ORGECLIPSEJETTYHTTP2-10116751...

Linux Distros Unpatched Vulnerability : CVE-2023-26048

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support e.g. annotated with @MultipartConfig that call...

DEBIAN-CVE-2024-6763

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browser...

CVE-2024-22201

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to st...

CVE-2024-22201 Jetty connection leaking on idle timeout when TCP congested

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to st...

SUSE CVE-2023-36478

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to exceed their size limit. MetaDataBuilder.java determines if a...

CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests...

DEBIAN-CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double...

jetty: Ambiguous paths can access WEB-INF

In Jetty the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application...

SRC-2021-0017 : Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability

Vulnerability Details: This vulnerability allows remote attackers to disclose information on affected installations of Jetty Web Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ConcatServlet and WelcomeFilter classes. The issue results fro...

jetty: buffer not correctly recycled in Gzip Request inflation

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that ...

CVE-2009-5046

JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22...