rpm package
opensuse/jetty-websocket&distro=openSUSE Leap 15.3
pkg:rpm/opensuse/jetty-websocket&distro=openSUSE%20Leap%2015.3
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-34429 | — | < 9.4.43-3.12.2 | 9.4.43-3.12.2 | Jul 15, 2021 | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G | ||
| CVE-2021-28169 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Jun 9, 2021 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml fil | ||
| CVE-2021-28165 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||
| CVE-2021-28164 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web. | ||
| CVE-2021-28163 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that m |
- CVE-2021-34429Jul 15, 2021affected < 9.4.43-3.12.2fixed 9.4.43-3.12.2
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G
- CVE-2021-28169Jun 9, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml fil
- CVE-2021-28165Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2021-28164Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.
- CVE-2021-28163Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that m