rpm package
opensuse/jetty-minimal&distro=openSUSE Leap 15.5
pkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Leap%2015.5
Vulnerabilities (9)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-8184 | — | < 9.4.56-150200.3.28.1 | 9.4.56-150200.3.28.1 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's | ||
| CVE-2024-22201 | — | < 9.4.54-150200.3.25.1 | 9.4.54-150200.3.25.1 | Feb 26, 2024 | Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing | ||
| CVE-2023-36478 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Oct 10, 2023 | Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.j | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-41900 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenti | ||
| CVE-2023-40167 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely | ||
| CVE-2023-36479 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac | ||
| CVE-2023-26049 | — | < 9.4.51-150200.3.19.2 | 9.4.51-150200.3.19.2 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start | ||
| CVE-2023-26048 | — | < 9.4.51-150200.3.19.2 | 9.4.51-150200.3.19.2 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a |
- CVE-2024-8184Oct 14, 2024affected < 9.4.56-150200.3.28.1fixed 9.4.56-150200.3.28.1
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
- CVE-2024-22201Feb 26, 2024affected < 9.4.54-150200.3.25.1fixed 9.4.54-150200.3.25.1
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing
- CVE-2023-36478Oct 10, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.j
- affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-41900Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenti
- CVE-2023-40167Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely
- CVE-2023-36479Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac
- CVE-2023-26049Apr 18, 2023affected < 9.4.51-150200.3.19.2fixed 9.4.51-150200.3.19.2
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start
- CVE-2023-26048Apr 18, 2023affected < 9.4.51-150200.3.19.2fixed 9.4.51-150200.3.19.2
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a