rpm package
suse/jetty-minimal&distro=SUSE Linux Enterprise Module for Development Tools 15 SP4
pkg:rpm/suse/jetty-minimal&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP4
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-36478 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Oct 10, 2023 | Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.j | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-41900 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenti | ||
| CVE-2023-40167 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely | ||
| CVE-2023-36479 | — | < 9.4.53-150200.3.22.1 | 9.4.53-150200.3.22.1 | Sep 15, 2023 | Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac | ||
| CVE-2023-26049 | — | < 9.4.51-150200.3.19.2 | 9.4.51-150200.3.19.2 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start | ||
| CVE-2023-26048 | — | < 9.4.51-150200.3.19.2 | 9.4.51-150200.3.19.2 | Apr 18, 2023 | Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a |
- CVE-2023-36478Oct 10, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.j
- affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-41900Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenti
- CVE-2023-40167Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely
- CVE-2023-36479Sep 15, 2023affected < 9.4.53-150200.3.22.1fixed 9.4.53-150200.3.22.1
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a spac
- CVE-2023-26049Apr 18, 2023affected < 9.4.51-150200.3.19.2fixed 9.4.51-150200.3.19.2
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that start
- CVE-2023-26048Apr 18, 2023affected < 9.4.51-150200.3.19.2fixed 9.4.51-150200.3.19.2
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a