rpm package
suse/jetty-minimal&distro=SUSE Linux Enterprise Module for Development Tools 15 SP2
pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-34429 | — | < 9.4.43-3.12.2 | 9.4.43-3.12.2 | Jul 15, 2021 | For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G | ||
| CVE-2021-28169 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Jun 9, 2021 | For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml fil | ||
| CVE-2021-28165 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. | ||
| CVE-2021-28164 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web. | ||
| CVE-2021-28163 | — | < 9.4.42-3.9.1 | 9.4.42-3.9.1 | Apr 1, 2021 | In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that m | ||
| CVE-2020-27223 | — | < 9.4.38-3.6.2 | 9.4.38-3.6.2 | Feb 26, 2021 | In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr | ||
| CVE-2020-27218 | — | < 9.4.35-3.3.4 | 9.4.35-3.3.4 | Nov 28, 2020 | In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request |
- CVE-2021-34429Jul 15, 2021affected < 9.4.43-3.12.2fixed 9.4.43-3.12.2
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/G
- CVE-2021-28169Jun 9, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml fil
- CVE-2021-28165Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
- CVE-2021-28164Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.
- CVE-2021-28163Apr 1, 2021affected < 9.4.42-3.9.1fixed 9.4.42-3.9.1
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that m
- CVE-2020-27223Feb 26, 2021affected < 9.4.38-3.6.2fixed 9.4.38-3.6.2
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage pr
- CVE-2020-27218Nov 28, 2020affected < 9.4.35-3.3.4fixed 9.4.35-3.3.4
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request