Design/Logic Flaw

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support e.g. annotated with @MultipartConfig that call HttpServletRequest.getParameter or HttpServletRequest.getParts may cause OutOfMemoryError when the client sends a multipart request with a part...

CVE-2023-26048

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support e.g. annotated with @MultipartConfig that call HttpServletRequest.getParameter or HttpServletRequest.getParts may cause OutOfMemoryError when the client sends a multipart request with a part...

CVE-2023-26048

CVE-2023-26048 (Jetty) affects Jetty’s Java-based web server/servlet engine. Affected servlets using multipart support (e.g., @MultipartConfig) calling HttpServletRequest.getParameter() or getParts() may trigger an OutOfMemoryError when a client sends a multipart part with a name but no filename ...

CVE-2023-26048

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support e.g. annotated with @MultipartConfig that call HttpServletRequest.getParameter or HttpServletRequest.getParts may cause OutOfMemoryError when the client sends a multipart request with a part...

Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. Content VULNERABILITY DETAILS...

Security Bulletin: Tivoli Federated Identity Manager Business Gateway - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager Business Gateway contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIMBG. Content...

GHSA-342C-F869-5M44 Apache Sling POST Servlets Denial of Service Vulnerability

The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service infinite loop via a crafted HTTP request...

Apache Sling POST Servlets Denial of Service Vulnerability

The @CopyFrom operation in the POST servlet in the org.apache.sling.servlets.post bundle before 2.1.2 in Apache Sling does not prevent attempts to copy an ancestor node to a descendant node, which allows remote attackers to cause a denial of service infinite loop via a crafted HTTP request...

com.activecq.tools.quickimage:core (=1.0.0), com.adobe.cq.commerce:cq-commerce-hybris-impl (>=5.5.0 <=6.4.4) +19 more potentially affected by CVE-2012-2138 via org.apache.sling:org.apache.sling.servlets.post (>=2.0.4-incubator <=2.1.0)

org.apache.sling:org.apache.sling.servlets.post MAVEN version =2.0.4-incubator, =5.5.0, =5.5.0, =5.3.0, =5.3.0, =5.4.0, =1.0.8, =1.0.12, =1.0.6, =5.5.0, =5.6.2, =5.4.0, =5.6.8 and more Source cves: CVE-2012-2138 Source advisory: OSV:GHSA-342C-F869-5M44...

GHSA-M27M-628V-XXP2 Exposure of Sensitive Information to an Unauthorized Actor in Apache Sling Servlets Post

The Servlets Post component 2.3.6 in Apache Sling, as used in Adobe Experience Manager 5.6.1, 6.0.0, and 6.1.0, allows remote attackers to obtain sensitive information via unspecified vectors...

com.activecq.tools.quickimage:core (=1.0.0), com.adobe.cq.commerce:cq-commerce-hybris-impl (>=5.5.0 <=6.4.4) +26 more potentially affected by CVE-2017-9802 via org.apache.sling:org.apache.sling.servlets.post (>=2.0.4-incubator <=2.3.2)

org.apache.sling:org.apache.sling.servlets.post MAVEN version =2.0.4-incubator, =5.5.0, =5.6.2, =5.5.0, =5.5.74, =5.3.0, =5.3.0, =5.4.0, =5.5.0, =1.0.8, =1.0.12, =1.0.6, =1.7.2 - com.day.cq.mcm:cq-mcm-silverpop-integration =1.0.2 and more Source cves: CVE-2017-9802 Source advisory:...

Improper Neutralization of Input During Web Page Generation Apache Sling Servlets Post

The Javascript method Sling.evalString in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings...

GHSA-RXVX-44W5-44R7 Improper Neutralization of Input During Web Page Generation in Apache Sling

Multiple cross-site scripting XSS vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to 1 org/apache/sling/api/servlets/HtmlResponse and 2...

com.activecq.tools.quickimage:core (=1.0.0), com.adobe.cq.commerce:cq-commerce-hybris-impl (>=5.5.0 <=6.4.4) +19 more potentially affected by CVE-2015-2944 via org.apache.sling:org.apache.sling.servlets.post (>=2.0.4-incubator <=2.1.0)

org.apache.sling:org.apache.sling.servlets.post MAVEN version =2.0.4-incubator, =5.5.0, =5.5.0, =5.3.0, =5.3.0, =5.4.0, =1.0.8, =1.0.12, =1.0.6, =5.5.0, =5.6.2, =5.4.0, =5.6.8 and more Source cves: CVE-2015-2944 Source advisory: OSV:GHSA-RXVX-44W5-44R7...

Improper Neutralization of Input During Web Page Generation in Apache Sling

Multiple cross-site scripting XSS vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to 1 org/apache/sling/api/servlets/HtmlResponse and 2...

GHSA-8G4F-FH7F-4FWH Apache Tomcat Default Installation Reveals Sensitive Information

The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the 1 SnoopServlet or 2 TroubleShooter example servlets...

Mageia: Security Advisory (MGASA-2018-0149)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Information Disclosure

jetty-servlets is vulnerable to information disclosure. Lack of proper handling of requests to the ConcatServlet with a doubly encoded path allows an attacker to access protected resources within the WEB-INF directory. For example, sending /concat?/%2557EB-INF/web.xml can retrieve the web.xml fil...

GHSA-RHH9-CM65-3W54 Improper Authentication in Apache Hadoop

In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled...

Security Bulletin: Apache Hadoop could allow a remote attacker to obtain sensitive information that could affect IBM Streams.

Summary In Apache Hadoop versions 3.0.0-alpha2 to 3.0.0, 2.9.0 to 2.9.2, 2.8.0 to 2.8.5, any users can access some servlets without authentication when Kerberos authentication is enabled and SPNEGO through HTTP is not enabled. Please see more details below. Vulnerability Details CVEID:...