Maven package
org.eclipse.jetty/jetty-server
pkg:maven/org.eclipse.jetty/jetty-server
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-12538 | — | >= 9.4.0, < 9.4.11.v20180605 | 9.4.11.v20180605 | Jun 22, 2018 | In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the | ||
| CVE-2017-9735 | Hig | 7.5 | >= 9.4.0, < 9.4.6.v20170531 | 9.4.6.v20170531 | Jun 16, 2017 | Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. | |
| CVE-2016-4800 | Cri | 9.8 | >= 9.3.0, < 9.3.9 | 9.3.9 | Apr 13, 2017 | The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. | |
| CVE-2015-2080 | Hig | 7.5 | < 9.2.9.v20150224 | 9.2.9.v20150224 | Oct 7, 2016 | The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. | |
| CVE-2011-4461 | Med | 5.3 | < 8.1.0.RC4 | 8.1.0.RC4 | Dec 30, 2011 | Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | |
| CVE-2006-6969 | — | < 4.2.27 | 4.2.27 | Feb 7, 2007 | Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication require |
- CVE-2018-12538Jun 22, 2018affected >= 9.4.0, < 9.4.11.v20180605fixed 9.4.11.v20180605
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the
- affected >= 9.4.0, < 9.4.6.v20170531fixed 9.4.6.v20170531
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
- affected >= 9.3.0, < 9.3.9fixed 9.3.9
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
- affected < 9.2.9.v20150224fixed 9.2.9.v20150224
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak.
- affected < 8.1.0.RC4fixed 8.1.0.RC4
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
- CVE-2006-6969Feb 7, 2007affected < 4.2.27fixed 4.2.27
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using java.util.random, which makes it easier for remote attackers to guess a session identifier through brute force attacks, bypass authentication require
Page 2 of 2