VYPR

Jetty

by Eclipse

Source repositories

CVEs (53)

  • CVE-2002-1533Mar 31, 2003
    risk 0.03cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a).

  • CVE-2021-28165Apr 1, 2021
    risk 0.01cvss epss 0.54

    In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

  • CVE-2019-10241Apr 22, 2019
    risk 0.01cvss epss 0.10

    In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory…

  • CVE-2025-1948May 8, 2025
    risk 0.00cvss epss 0.01

    In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this setting, and tries to allocate a ByteBuffer of the…

  • CVE-2024-13009May 8, 2025
    risk 0.00cvss epss 0.00

    In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.

  • CVE-2024-8184Oct 14, 2024
    risk 0.00cvss epss 0.01

    There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's…

  • CVE-2024-6762Oct 14, 2024
    risk 0.00cvss epss 0.01

    Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory.

  • CVE-2024-6763Oct 14, 2024
    risk 0.00cvss epss 0.01

    Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs…

  • CVE-2024-9823Oct 14, 2024
    risk 0.00cvss epss 0.01

    There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the…

  • CVE-2022-2191Jul 7, 2022
    risk 0.00cvss epss 0.02

    In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths.

  • CVE-2022-2047Jul 7, 2022
    risk 0.00cvss epss 0.01

    In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy…

  • CVE-2022-2048Jul 7, 2022
    risk 0.00cvss epss 0.02

    In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no…

  • CVE-2021-34428Jun 22, 2021
    risk 0.00cvss epss 0.01

    For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can…

  • CVE-2021-28163Apr 1, 2021
    risk 0.00cvss epss 0.04

    In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that…

  • CVE-2020-27218Nov 28, 2020
    risk 0.00cvss epss 0.08

    In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request…

  • CVE-2020-27216Oct 23, 2020
    risk 0.00cvss epss 0.04

    In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a…

  • CVE-2019-17638Jul 9, 2020
    risk 0.00cvss epss 0.11

    In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.…

  • CVE-2019-17632Nov 25, 2019
    risk 0.00cvss epss 0.02

    In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

  • CVE-2009-5046Nov 6, 2019
    risk 0.00cvss epss 0.02

    JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.

  • CVE-2009-5045Nov 6, 2019
    risk 0.00cvss epss 0.02

    Dump Servlet information leak in jetty before 6.1.22.