47 matches found
CVE-2023-44487
CVE-2023-44487 – HTTP/2 Rapid Reset DoS Root cause: HTTP/2 stream resets can cause servers to continue processing, leading to unbounded resource consumption and potential DoS when clients rapidly cancel streams. What’s affected: Various HTTP/2 implementations and deployments, including servers, p...
CVE-2023-36479
What is affected. Jetty’s CGI Servlet (org.eclipse.jetty.servlets.CGI) in Jetty versions impacted by CVE-2023-36479. Root cause. When a request targets a binary with a space in its name, Jetty escapes the command by wrapping it in quotes; if the binary name contains a quotation mark followed by a...
CVE-2024-22201
Technical details about CVE-2024-22201 are not provided in the Connected documents. The Initial entry mentions affected Jetty versions and a patch, but does not supply root-cause analysis, exact vulnerable components, exploit details, or comprehensive mitigations. Monitor for updates.
CVE-2023-36478
CVE-2023-36478 (Jetty) affects Jetty 9.x/10.x/11.x: an integer overflow in MetaDataBuilder.checkSize can cause HPACK header lengths to overflow, potentially enabling a remote denial-of-service via malformed HTTP/2 header values. The flaw occurs when length is large and Huffman encoding is used, c...
CVE-2023-40167
CVE-2023-40167 (Jetty) affects Jetty Java-based web server/servlet engine. Prior to Jetty 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts a "+" character before the Content-Length in HTTP/1 header fields, which is non-RFC compliant. This could enable request smuggling in scenarios where a dow...
CVE-2023-26048
CVE-2023-26048 (Jetty) affects Jetty’s Java-based web server/servlet engine. Affected servlets using multipart support (e.g., @MultipartConfig) calling HttpServletRequest.getParameter() or getParts() may trigger an OutOfMemoryError when a client sends a multipart part with a name but no filename ...
CVE-2021-28165
The CVE-2021-28165 issue affects Eclipse Jetty versions 7.2.2–9.4.38, 10.0.0.alpha0–10.0.1, and 11.0.0.alpha0–11.0.1, where handling a large invalid TLS frame can cause CPU usage to reach 100%, leading to resource exhaustion. The underlying cause is described as abnormal processing after receivin...
CVE-2023-26049
Jetty cookie parsing vulnerability CVE-2023-26049 affects Jetty’s cookie handling where a cookie VALUE starting with a double quote can cause the parser to read past semicolons, effectively merging multiple cookies into one. This can enable cookie smuggling (e.g., exfiltrating HttpOnly cookies li...
CVE-2022-2047
CVE-2022-2047 affects Eclipse Jetty: vulnerable in Jetty 9.4.0–9.4.46, 10.0.0–10.0.9, and 11.0.0–11.0.9. The HttpURI class misparses the authority segment of an HTTP URI, treating certain invalid inputs as a hostname, which can cause failures in a proxy scenario. Connected documents provide exact...
CVE-2020-27218
CVE-2020-27218 affects Eclipse Jetty 9.4.x (9.4.0.RC0–9.4.34.v20201102), 10.x (10.0.0.alpha0–beta2), and 11.x (11.0.0.alpha0–beta2). When GZIP request body inflation is enabled and requests from different clients are multiplexed on one connection, an attacker who can send a body that is received ...
CVE-2021-28169
CVE-2021-28169 affects Eclipse Jetty shipped with multiple versions (<= 9.4.40, <= 10.0.2,
CVE-2023-41900
CVE-2023-41900 affects Jetty: versions 9.4.21–9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication through OpenIdAuthenticator with a nested LoginService; if the LoginService revokes an already authenticated user, the session may still be treated as authenticated, potentially allowi...
CVE-2021-28164
CVE-2021-28164 (Jetty): Affects Jetty 9.4.37.v20210219–9.4.38.v20210224. The default compliance mode allowed URIs containing encoded dot segments (%2e, %2e%2e) to access protected WEB-INF resources (e.g., /context/%2e/WEB-INF/web.xml), exposing sensitive implementation details. Public references ...
CVE-2019-17638
The CVE-2019-17638 entry concerns Eclipse Jetty (versions 9.4.27.v20200227 through 9.4.29.v20200521) where a too-large response header scenario leads to a double release of the ByteBuffer in the ByteBufferPool. This can allow two threads to racingly access the same ByteBuffer; as one thread prepa...
CVE-2021-28163
CVE-2021-28163 (Jetty symlink handling) is reported across multiple IBM advisories as a vulnerability in Eclipse Jetty where if the ${jetty.base} or ${jetty.base}/webapps directory is a symlink, an attacker could obtain the contents of the webapps directory. IBM documents list affected products s...
CVE-2022-2048
CVE-2022-2048 concerns the Eclipse Jetty HTTP/2 server. The bug occurs when handling an invalid HTTP/2 request, where the error path fails to properly clean up active connections and associated resources. This can lead to a denial of service due to resource exhaustion, rendering the server unable...
CVE-2020-27223
CVE-2020-27223 affects Eclipse Jetty 9.4.6.v20170531–9.4.36.v20210114, 10.0.0, and 11.0.0, where handling requests with multiple Accept headers and many quality (q) values can cause high CPU usage and a DoS. Public sources consistently describe CPU exhaustion as the impact. Remediation is to upgr...
CVE-2021-34429
CVE-2021-34429 affects Eclipse Jetty: 9.4.37–9.4.42, 10.0.1–10.0.5, and 11.0.1–11.0.5. A vulnerability allows crafting certain encoded URIs to access WEB-INF content and bypass some security constraints, constituting a variation of CVE-2021-28164. Public references in connected docs describe this...
CVE-2021-34428
CVE-2021-34428 affects Eclipse Jetty up to 9.4.40, 10.0.2, and 11.0.2. The root cause is an exception in SessionListener#sessionDestroyed() that prevents the session ID from being invalidated in the session ID manager, which in clustered deployments can leave a user session active on a shared mac...
CVE-2024-6763
CVE-2024-6763 affects the Jetty project (HttpURI utility) and involves insufficient validation of the URI authority segment. The vulnerability can lead to an open redirect or SSRF when a vulnerable Jetty HttpURI is used with certain (invalid) URIs, potentially depending on browser parsing differe...
CVE-2024-8184
Jetty CVE-2024-8184 affects ThreadLimitHandler.getRemote(), allowing remote DoS via crafted requests that trigger OutOfMemory. Affected Jetty series include 12.x (12.0.0–12.0.8), 11.x (11.0.0–11.0.23), 10.x (10.0.0–10.0.23), and 9.x (9.3.12–9.4.55). Patched releases: 12.0.9, 11.0.24, 10.0.24, and...
CVE-2019-10247
CVE-2019-10247 affects Eclipse Jetty when configured to list contexts in 404 responses. Jetty versions 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older disclose the fully qualified directory base resource location in the HTML output of a not-found Context, via the DefaultHandler...
CVE-2024-13009
CVE-2024-13009 (Jetty) affects Jetty 9.4.0–9.4.56 where a gzip error during inflating a request body can cause a buffer to be released incorrectly, potentially corrupting or sharing data between requests. Public IBM bulletins tie this CVE to IBM QRadar SIEM, IBM Storage Scale, and Tivoli Netcool/...
CVE-2017-7657
CVE-2017-7657 affects Eclipse Jetty: transfer-encoding chunk size parsing could overflow an integer, causing large chunks to be treated as smaller ones and enabling a fake pipelined request that bypasses intermediary authorization. Affected versions include Jetty 9.2.x and older, 9.3.x (all confi...
CVE-2024-9823
CVE-2024-9823 involves Jetty's DosFilter. The provided documents confirm a remote DoS via crafted requests that trigger OutOfMemory and exhaust server memory, as described under the Jetty DosFilter entry (CWE-400: Uncontrolled Resource Consumption). No specific remediation or affected versions ar...
CVE-2020-27216
CVE-2020-27216 affects Eclipse Jetty in Unix-like environments across versions 1.0–9.4.32.v20200930, 10.0.0.alpha1–10.0.0.beta2, and 11.0.0.alpha1–11.0.0.beta2O. It describes a race condition where the system temporary directory is shared among users, allowing a collocated user to observe the cre...
CVE-2025-1948
The CVE-2025-1948 issue affects Eclipse Jetty 12.0.0–12.0.16 where HTTP/2 SETTINGS_MAX_HEADER_LIST_SIZE can be set to a very large value. The Jetty HTTP/2 server does not validate this setting, leading to an allocation of a ByteBuffer of the requested size and likely OutOfMemoryError or JVM crash...
CVE-2019-10241
CVE-2019-10241 affects Eclipse Jetty prior to specific release lines: 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older. The vulnerability is an XSS due to improper validation of user-supplied input by DefaultServlet and ResourceHandler when a remote client uses a specially crafted URL to ...
CVE-2017-7658
In CVE-2017-7658, Eclipse Jetty had a flaw in how it handles HTTP requests when multiple Content-Length headers are present or when a Content-Length header accompanies a chunked encoding header. This could allow a forged or pipelined request to bypass intermediary authorization if the shorter len...
CVE-2022-2191
CVE-2022-2191 affects Eclipse Jetty by failing to release ByteBuffers from ByteBufferPool in error paths in Jetty 10.0.0–10.0.9 and 11.0.0–11.0.9. The described root cause is a ByteBuffer lifecycle issue in SslConnection, leading to a potential denial of service with high availability impact. Pub...
CVE-2017-7656
CVE-2017-7656 affects Eclipse Jetty: HTTP/0.9 handling vulnerability in Jetty 9.2.x and older, 9.3.x (all configurations), and 9.4.x with RFC2616 compliance enabled. An HTTP/1 style request line declaring HTTP/0.9 could be treated as a 0.9 request, potentially enabling intermediar y proxies to mi...
CVE-2015-2080
CVE-2015-2080 affects Eclipse Jetty; vulnerability in exception handling allows remote attackers to disclose sensitive memory contents via illegal characters in HTTP headers (JetLeak). Affected product: Jetty versions before 9.2.9.v20150224. Impact per sources: information disclosure; no integrit...
CVE-2017-9735
CVE-2017-9735 affects Jetty (Jetty 9.x family) via a timing-channel flaw in util/security/Password.java, enabling a remote attacker to infer sensitive information by measuring response times to incorrect password attempts. The issue can lead to unauthorized access and is described with a CVSS bas...
CVE-2018-12536
CVE-2018-12536 affects Eclipse Jetty Server (9.x) when webapps use the DefaultServlet/Default Error handling. A specially crafted bad query targeting non-matching URLs can trigger java.nio.file.InvalidPathException during static file serving, and if the error handler reveals the exception message...
CVE-2026-2332
In the provided records, CVE-2026-2332 is a Jetty HTTP/1.1 parser vulnerability allowing request smuggling via chunked extension quoted-strings. The issue arises when chunk extensions are parsed and a CRLF occurs inside quotes, enabling a smuggled request across requests on a single connection. D...
CVE-2018-12538
CVE-2018-12538 affects Eclipse Jetty 9.4.0–9.4.8 when using the FileSessionDataStore for HttpSession persistence. A malicious user could hijack or delete other users’ sessions via the FileSystem storage, due to a flaw in the FileSessionDataStore. Remediation noted in public advisories: upgrade Je...
CVE-2019-17632
CVE-2019-17632 affects Eclipse Jetty 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118. The issue: default unhandled error responses (text/html/text/json) may include unescaped exception messages in stacktraces, enabling leakage or potential cross-site scripting via error output. Connected...
CVE-2019-10246
CVE-2019-10246 is described in connected IBM security bulletins as an Eclipse Jetty vulnerability where a server configured to Listing directory contents could expose the fully-qualified Base Resource directory name to remote clients, potentially revealing sensitive information. IBM Cognos Analyt...
CVE-2018-12545
CVE-2018-12545 : In Eclipse Jetty 9.3.x and 9.4.x, the server is vulnerable to Denial of Service when a remote client sends large or numerous SETTINGS frames, due to extra CPU and memory allocations to handle changed settings. The IBM Security Bulletin for Jazz Foundation lists this CVE among Jet...
CVE-2026-5795
In Eclipse Jetty, the JASPIAuthenticator initializes authentication checks that set two ThreadLocal variables. After returning from these initial checks, the code may take an early return path without clearing the ThreadLocals. A subsequent request that executes on the same thread inherits these ...
CVE-2025-5115
CVE-2025-5115 (MadeYouReset) is a protocol-level HTTP/2 vulnerability in Jetty affecting versions <= 9.4.57, <= 10.0.25, <= 11.0.25, <= 12.0.21,
CVE-2009-5045
CVE-2009-5045 concerns an information disclosure in the Jetty Dump Servlet . Affected software is the Jetty web server/servlet container, with the vulnerability existing in versions prior to 6.1.22 . The NVD reports a CVSSv3.1 base score of 7.5 (HIGH) , indicating a network-accessible issue with ...
CVE-2009-5046
CVE-2009-5046 affects Jetty (JSP Dump and Session Dump Servlets) with XSS due to improper validation in the JSP Dump and Session Dump Servlets, observed in Jetty versions before 6.1.22. The vulnerability enables cross-site scripting that can steal cookie-based credentials when a page using the af...
CVE-2016-4800
CVE-2016-4800 affects Eclipse Jetty 9.3.x prior to 9.3.9 on Windows. The path normalization in PathResource can be bypassed via a URL containing certain escaped characters (backslashes), allowing an attacker to bypass protected resource restrictions and other security constraints. The description...
CVE-2024-6762
CVE-2024-6762 is evidenced in Debian advisories as affecting Jetty 9 (Jetty9) where PushSessionCacheFilter (and PushCacheFilter) can be abused by unauthenticated actors to trigger remote DoS through memory exhaustion. Debian security updates fix Jetty9 in Debian 11 and 12: upgrade to Jetty 9.4.57...
CVE-2026-1605
In Jetty, vulnerable in GzipHandler when processing a gzip-compressed HTTP request (Content-Encoding: gzip) but returning an uncompressed response. A JDK Inflater is allocated to decompress the request, but the release path is tied to the response being compressed; since the response isn’t compre...
CVE-2025-11143
Summary of CVE-2025-11143 : The Jetty HTTP URI parser has differences in handling invalid/unusual URIs, causing potential security by‑pass or leakage of implementation details when multiple components parse URIs differently. Public sources describe practical implications as differential parsing a...