rpm package
opensuse/jetty-minimal&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/jetty-minimal&distro=openSUSE%20Tumbleweed
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-2332 | Hig | 7.4 | < 9.4.58-4.1 | 9.4.58-4.1 | Apr 14, 2026 | In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term | |
| CVE-2026-5795 | Hig | 7.4 | < 9.4.58-4.1 | 9.4.58-4.1 | Apr 8, 2026 | In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. | |
| CVE-2025-11143 | — | < 9.4.58-3.1 | 9.4.58-3.1 | Mar 5, 2026 | The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR | ||
| CVE-2025-5115 | — | < 9.4.58-1.1 | 9.4.58-1.1 | Aug 20, 2025 | In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th | ||
| CVE-2024-13009 | — | < 9.4.57-1.1 | 9.4.57-1.1 | May 8, 2025 | In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. | ||
| CVE-2024-8184 | — | < 9.4.56-2.1 | 9.4.56-2.1 | Oct 14, 2024 | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's | ||
| CVE-2024-6763 | — | < 9.4.57-1.1 | 9.4.57-1.1 | Oct 14, 2024 | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro |
- affected < 9.4.58-4.1fixed 9.4.58-4.1
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * https://w4ke.info/2025/10/29/funky-chunks-2.html Jetty term
- affected < 9.4.58-4.1fixed 9.4.58-4.1
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
- CVE-2025-11143Mar 5, 2026affected < 9.4.58-3.1fixed 9.4.58-3.1
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example a component that enforces a black list may interpret the UR
- CVE-2025-5115Aug 20, 2025affected < 9.4.58-1.1fixed 9.4.58-1.1
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent in a particular stream state, therefore forcing th
- CVE-2024-13009May 8, 2025affected < 9.4.57-1.1fixed 9.4.57-1.1
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
- CVE-2024-8184Oct 14, 2024affected < 9.4.56-2.1fixed 9.4.56-2.1
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's
- CVE-2024-6763Oct 14, 2024affected < 9.4.57-1.1fixed 9.4.57-1.1
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs fro