Jetty@* Security Vulnerabilities and Issues — Jetty@* CVE List

Lucene search

EclipseJetty*

7 matches found

CVE•added 2023/10/10 2:15 p.m.•4467 views

CVE-2023-44487

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

7.5CVSS8AI score0.9441EPSS

CVE•added 2023/09/15 7:15 p.m.•917 views

CVE-2023-36479

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the ...

3.5CVSS5.9AI score0.00627EPSS

CVE•added 2023/09/15 8:15 p.m.•508 views

CVE-2023-40167

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests w...

5.3CVSS5.5AI score0.02542EPSS

CVE•added 2023/10/10 5:15 p.m.•496 views

CVE-2023-36478

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values toexceed their size limit. MetaDataBuilder.java determines if a hea...

7.5CVSS7.7AI score0.00832EPSS

CVE•added 2023/04/18 9:15 p.m.•484 views

CVE-2023-26048

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a p...

5.3CVSS5.9AI score0.36142EPSS

CVE•added 2023/04/18 9:15 p.m.•470 views

CVE-2023-26049

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double qu...

5.3CVSS5.1AI score0.00263EPSS

CVE•added 2023/09/15 9:15 p.m.•410 views

CVE-2023-41900

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty OpenIdAuthenticator uses the optional nested LoginService, and that LoginService decides to revoke an already authenticated user, then the curr...

4.3CVSS4.7AI score0.00091EPSS