Lucene search

K

34 matches found

CVE
CVE
added 2023/10/10 2:15 p.m.4686 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.94437EPSS
In wild
CVE
CVE
added 2023/09/15 7:15 p.m.951 views

CVE-2023-36479

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the ...

3.5CVSS5.9AI score0.00627EPSS
CVE
CVE
added 2024/02/26 4:27 p.m.711 views

CVE-2024-22201

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop...

7.5CVSS7.5AI score0.00293EPSS
CVE
CVE
added 2023/09/15 8:15 p.m.548 views

CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests w...

5.3CVSS5.5AI score0.02542EPSS
CVE
CVE
added 2023/10/10 5:15 p.m.523 views

CVE-2023-36478

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values toexceed their size limit. MetaDataBuilder.java determines if a hea...

7.5CVSS7.7AI score0.00832EPSS
CVE
CVE
added 2023/04/18 9:15 p.m.519 views

CVE-2023-26048

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a p...

5.3CVSS5.9AI score0.36142EPSS
CVE
CVE
added 2021/04/01 3:15 p.m.517 views

CVE-2021-28165

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

7.8CVSS7.3AI score0.0929EPSS
CVE
CVE
added 2023/04/18 9:15 p.m.504 views

CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double qu...

5.3CVSS5.1AI score0.00263EPSS
CVE
CVE
added 2022/07/07 9:15 p.m.486 views

CVE-2022-2047

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

4CVSS5.2AI score0.00878EPSS
CVE
CVE
added 2020/11/28 1:15 a.m.446 views

CVE-2020-27218

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is...

5.8CVSS5.1AI score0.00352EPSS
CVE
CVE
added 2023/09/15 9:15 p.m.446 views

CVE-2023-41900

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the curr...

4.3CVSS4.7AI score0.00084EPSS
CVE
CVE
added 2021/06/09 2:15 a.m.415 views

CVE-2021-28169

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2,

5.3CVSS5.2AI score0.92092EPSS
In wild
CVE
CVE
added 2021/04/01 3:15 p.m.384 views

CVE-2021-28163

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that dir...

4CVSS5.1AI score0.00152EPSS
In wild
CVE
CVE
added 2022/07/07 9:15 p.m.348 views

CVE-2022-2048

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left ...

7.5CVSS7.3AI score0.01411EPSS
CVE
CVE
added 2021/07/15 5:15 p.m.341 views

CVE-2021-34429

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

5.3CVSS5.4AI score0.93799EPSS
CVE
CVE
added 2021/06/22 3:15 p.m.335 views

CVE-2021-34428

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2,

3.6CVSS3.9AI score0.00557EPSS
In wild
CVE
CVE
added 2021/02/26 10:15 p.m.334 views

CVE-2020-27223

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those qual...

5.3CVSS5.2AI score0.28074EPSS
CVE
CVE
added 2024/10/14 4:15 p.m.308 views

CVE-2024-6763

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURIdiffers from the common browsers i...

5.3CVSS4AI score0.0014EPSS
CVE
CVE
added 2024/10/14 4:15 p.m.303 views

CVE-2024-8184

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

6.5CVSS6AI score0.0025EPSS
CVE
CVE
added 2018/06/26 4:29 p.m.278 views

CVE-2017-7657

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as...

9.8CVSS9.1AI score0.06679EPSS
CVE
CVE
added 2020/10/23 1:15 p.m.273 views

CVE-2020-27216

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub direct...

7CVSS6.9AI score0.00164EPSS
CVE
CVE
added 2024/10/14 3:15 p.m.260 views

CVE-2024-9823

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory fina...

7.5CVSS5.3AI score0.00803EPSS
CVE
CVE
added 2025/05/08 6:15 p.m.226 views

CVE-2025-1948

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE.The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the specified capacity to ...

7.5CVSS7.5AI score0.00076EPSS
CVE
CVE
added 2025/05/08 6:15 p.m.215 views

CVE-2024-13009

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a requestbody. This can result in corrupted and/or inadvertent sharing of data between requests.

7.2CVSS7AI score0.00049EPSS
CVE
CVE
added 2018/06/26 5:29 p.m.195 views

CVE-2017-7658

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ...

9.8CVSS9.2AI score0.09388EPSS
CVE
CVE
added 2018/06/26 3:29 p.m.167 views

CVE-2017-7656

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated ...

7.5CVSS8.2AI score0.03903EPSS
CVE
CVE
added 2022/07/07 9:15 p.m.162 views

CVE-2022-2191

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

7.5CVSS7.5AI score0.00522EPSS
CVE
CVE
added 2017/06/16 9:29 p.m.161 views

CVE-2017-9735

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

7.5CVSS7.3AI score0.00522EPSS
CVE
CVE
added 2018/06/27 5:29 p.m.144 views

CVE-2018-12536

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.Invali...

5.3CVSS6.9AI score0.0422EPSS
CVE
CVE
added 2018/06/22 7:29 p.m.125 views

CVE-2018-12538

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storag...

8.8CVSS8.4AI score0.00468EPSS
CVE
CVE
added 2019/11/06 8:15 p.m.91 views

CVE-2009-5046

JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.

6.1CVSS6AI score0.00947EPSS
CVE
CVE
added 2019/11/06 8:15 p.m.90 views

CVE-2009-5045

Dump Servlet information leak in jetty before 6.1.22.

7.5CVSS7.3AI score0.01873EPSS
CVE
CVE
added 2024/10/14 4:15 p.m.77 views

CVE-2024-6762

Jetty PushSessionCacheFilter can be exploited by unauthenticated usersto launch remote DoS attacks by exhausting the server’s memory.

6.5CVSS4.3AI score0.01582EPSS
CVE
CVE
added 2020/12/14 9:15 p.m.45 views

CVE-2020-14368

A flaw was found in Eclipse Che in versions prior to 7.14.0 that impacts CodeReady Workspaces. When configured with cookies authentication, Theia IDE doesn't properly set the SameSite value, allowing a Cross-Site Request Forgery (CSRF) and consequently allowing a cross-site WebSocket hijack on Thei...

7.1CVSS7AI score0.00094EPSS