Maven package
org.eclipse.jetty/jetty-server
pkg:maven/org.eclipse.jetty/jetty-server
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-1605 | — | >= 12.1.0, < 12.1.6 | 12.1.6 | Mar 5, 2026 | In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated | ||
| CVE-2024-13009 | — | >= 9.4.0, < 9.4.57.v20241219 | 9.4.57.v20241219 | May 8, 2025 | In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. | ||
| CVE-2024-8184 | — | >= 12.0.0, < 12.0.9 | 12.0.9 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's | ||
| CVE-2023-26049 | — | < 9.4.51.v20230217 | 9.4.51.v20230217 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start | ||
| CVE-2023-26048 | — | < 9.4.51.v20230217 | 9.4.51.v20230217 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a | ||
| CVE-2022-2191 | — | >= 10.0.0, < 10.0.10 | 10.0.10 | Jul 7, 2022 | In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. | ||
| CVE-2021-34428 | — | < 9.4.41 | 9.4.41 | Jun 22, 2021 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result | ||
| CVE-2021-28165 | — | >= 7.2.2, < 9.4.39 | 9.4.39 | Apr 1, 2021 | In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||
| CVE-2020-27223 | — | >= 9.4.6, < 9.4.37 | 9.4.37 | Feb 26, 2021 | In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr | ||
| CVE-2020-27218 | — | >= 9.4.0, < 9.4.35.v20201120 | 9.4.35.v20201120 | Nov 28, 2020 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request | ||
| CVE-2019-17638 | — | >= 9.4.27, < 9.4.30.v20200611 | 9.4.30.v20200611 | Jul 9, 2020 | In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Bec | ||
| CVE-2019-17632 | — | >= 9.4.21.v20190926, < 9.4.24.v20191120 | 9.4.24.v20191120 | Nov 25, 2019 | In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output. | ||
| CVE-2019-10247 | — | >= 7.0.0, < 9.2.28.v20190418 | 9.2.28.v20190418 | Apr 22, 2019 | In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Con | ||
| CVE-2019-10246 | — | >= 9.2.0, < 9.2.28.v20190418 | 9.2.28.v20190418 | Apr 22, 2019 | In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information revea | ||
| CVE-2019-10241 | — | < 9.2.27.v20190403 | 9.2.27.v20190403 | Apr 22, 2019 | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory cont | ||
| CVE-2018-12545 | — | >= 9.4.0, < 9.4.12.v20180830 | 9.4.12.v20180830 | Mar 27, 2019 | In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory al | ||
| CVE-2018-12536 | — | >= 9.4.0, < 9.4.11.v20180605 | 9.4.11.v20180605 | Jun 27, 2018 | In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a j | ||
| CVE-2017-7658 | — | < 9.2.25.v20180606 | 9.2.25.v20180606 | Jun 26, 2018 | In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the | ||
| CVE-2017-7657 | — | < 9.2.25.v20180606 | 9.2.25.v20180606 | Jun 26, 2018 | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size coul | ||
| CVE-2017-7656 | — | < 9.3.24.v20180605 | 9.3.24.v20180605 | Jun 26, 2018 | In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was ac |
- CVE-2026-1605Mar 5, 2026affected >= 12.1.0, < 12.1.6fixed 12.1.6
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is not compressed. This happens because the JDK Inflater is allocated
- CVE-2024-13009May 8, 2025affected >= 9.4.0, < 9.4.57.v20241219fixed 9.4.57.v20241219
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
- CVE-2024-8184Oct 14, 2024affected >= 12.0.0, < 12.0.9fixed 12.0.9
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
- CVE-2023-26049Apr 18, 2023affected < 9.4.51.v20230217fixed 9.4.51.v20230217
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start
- CVE-2023-26048Apr 18, 2023affected < 9.4.51.v20230217fixed 9.4.51.v20230217
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a
- CVE-2022-2191Jul 7, 2022affected >= 10.0.0, < 10.0.10fixed 10.0.10
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.
- CVE-2021-34428Jun 22, 2021affected < 9.4.41fixed 9.4.41
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result
- CVE-2021-28165Apr 1, 2021affected >= 7.2.2, < 9.4.39fixed 9.4.39
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2020-27223Feb 26, 2021affected >= 9.4.6, < 9.4.37fixed 9.4.37
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr
- CVE-2020-27218Nov 28, 2020affected >= 9.4.0, < 9.4.35.v20201120fixed 9.4.35.v20201120
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request
- CVE-2019-17638Jul 9, 2020affected >= 9.4.27, < 9.4.30.v20200611fixed 9.4.30.v20200611
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Bec
- CVE-2019-17632Nov 25, 2019affected >= 9.4.21.v20190926, < 9.4.24.v20191120fixed 9.4.24.v20191120
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
- CVE-2019-10247Apr 22, 2019affected >= 7.0.0, < 9.2.28.v20190418fixed 9.2.28.v20190418
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Con
- CVE-2019-10246Apr 22, 2019affected >= 9.2.0, < 9.2.28.v20190418fixed 9.2.28.v20190418
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information revea
- CVE-2019-10241Apr 22, 2019affected < 9.2.27.v20190403fixed 9.2.27.v20190403
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory cont
- CVE-2018-12545Mar 27, 2019affected >= 9.4.0, < 9.4.12.v20180830fixed 9.4.12.v20180830
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large SETTINGs frames container containing many settings, or many small SETTINGs frames. The vulnerability is due to the additional CPU and memory al
- CVE-2018-12536Jun 27, 2018affected >= 9.4.0, < 9.4.11.v20180605fixed 9.4.11.v20180605
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a j
- CVE-2017-7658Jun 26, 2018affected < 9.2.25.v20180606fixed 9.2.25.v20180606
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the
- CVE-2017-7657Jun 26, 2018affected < 9.2.25.v20180606fixed 9.2.25.v20180606
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size coul
- CVE-2017-7656Jun 26, 2018affected < 9.3.24.v20180605fixed 9.3.24.v20180605
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was ac
Page 1 of 2