| <html xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><head> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
| <link rel="home" href="security-reports.html" title="Reporting Security Issues"><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="author" content="jmcconnell"><meta name="keywords" content="Jetty, Servlets, Async, SPDY, Web Server, Web Client, Eclipse RT, Eclipse Runtime"><link href="//fonts.googleapis.com/css?family=Open+Sans:400,700,300,600,100" rel="stylesheet" type="text/css"><link rel="shortcut icon" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/favicon.ico"><title>Jetty - Servlet Engine and Http Server</title><link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/styles.min.css"><meta property="og:description" content="Jetty is a highly scalable modular servlet engine and http server that natively supports many modern protocols like SPDY and WebSockets."><meta property="og:image" content="https://www.eclipse.org/jetty/images/jetty-logo-80x22.png"><meta property="og:title" content="Jetty - Servlet Engine and Http Server"><link rel="stylesheet" type="text/css" href="/jetty/css/jetty.css"><link rel="stylesheet" type="text/css" href="/jetty/css/docbook.css"><link rel="stylesheet" type="text/css" href="/jetty/css/styles.min.css"></head><body id="body-solstice"><a class="sr-only" href="#content">Skip to main content</a><div class="clearfix toolbar-container-wrapper"><div class="container"><div class="text-right toolbar-row row hidden-print"><div class="col-md-24 row-toolbar-col"><ul class="list-inline"><li><a href="https://dev.eclipse.org/site_login/createaccount.php"><i class="fa fa-user fa-fw"></i> Create account</a></li><li><a href="https://dev.eclipse.org/site_login/?takemeback=https://www.eclipse.org/jetty/"><i class="fa fa-sign-in fa-fw"></i> Log in</a></li></ul></div></div></div></div><header role="banner" id="header-wrapper"><div class="container"><div class="row" id="header-row"><div class="hidden-xs col-sm-8 col-md-6 col-lg-5" id="header-left"><div class="wrapper-logo-default"><a href="https://www.eclipse.org/"><img class="logo-eclipse-default img-responsive hidden-xs" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-426x100.png"></a></div></div><div class="col-sm-10 col-md-8 col-lg-5 hidden-print hidden-xs pull-right" id="header-right"><div id="btn-call-for-action"><a href="https://www.eclipse.org/donate/" class="btn btn-huge btn-info"><i class="fa fa-star"></i> Donate</a></div></div><div class="col-sm-14 col-md-16 col-lg-19 reset" id="main-menu-wrapper"><div class="navbar yamm" id="main-menu"><div id="navbar-collapse-1" class="navbar-collapse collapse"><ul class="nav navbar-nav"><li class="visible-thin"><a href="https://www.eclipse.org/downloads/" target="_self">Download</a></li><li><a href="https://www.eclipse.org/users/" target="_self">Getting Started</a></li><li><a href="https://www.eclipse.org/membership/" target="_self">Members</a></li><li><a href="https://www.eclipse.org/projects/" target="_self">Projects</a></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Community <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Participate <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Working Groups <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></li><li class="dropdown eclipse-more hidden-xs"><a data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a><ul class="dropdown-menu"><li><div class="yamm-content"><div class="row"><ul class="col-sm-8 list-unstyled"><li><p><strong>Community</strong></p></li><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Participate</strong></p></li><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Working Groups</strong></p></li><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></div></div></li></ul></li></ul></div><div class="navbar-header"><button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-collapse-1"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="wrapper-logo-mobile"><a class="navbar-brand visible-xs" href="https://www.eclipse.org/"><img class="logo-eclipse-default-mobile img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-800x188.png"></a></div></div></div></div></div></div></header><section class="hidden-print default-breadcrumbs" id="breadcrumb"><div class="container"><h3 class="sr-only">Breadcrumbs</h3><div class="col-xs-24"><ol class="breadcrumb"><li><a href="https://www.eclipse.org/">Home</a></li><li><a href="https://www.eclipse.org/projects/">Projects</a></li><li><a href="https://www.eclipse.org/jetty">jetty</a></li></ol></div></div></section><main class="no-promo"><div class="novaContent container" id="novaContent"><aside id="leftcol" class="col-md-4"><ul id="leftnav" class="ul-left-nav fa-ul hidden-print"><li class="separator"><a class="separator" href="/jetty/index.html">Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/about.html" target="_self">About Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/powered" target="_self">Jetty Powered</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/licenses.html" target="_self">Licenses</a></li><li class="separator">Resources</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/download.html" target="_self">Downloads</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation" target="_self">Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/javadoc" target="_self">API Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/security-reports.html" target="_self">Security Reports</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/jetty-maven-plugin.html" target="_self">Maven Plugin</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/mailinglists.html" target="_self">Mailing Lists</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://webtide.com/blogs" target="_self">Blogs</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A31" target="_self">Eclipse Tooling</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/tools.html" target="_self">Tools</a></li><li class="separator">Project Management</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/advanced-contributing.html#community" target="_self">Community</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/contributing-patches.html" target="_self">Contributing</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://www.eclipse.org/projects/ip_log.php?projectid=rt.jetty" target="_self">IP Log</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://github.com/eclipse/jetty.project" target="_self">Source</a></li><li class="separator">Professional Services</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A34" target="_self">Training and Consulting</a></li></ul></aside><div id="maincontent"><div id="midcolumn"><center><img src="/jetty/images/jetty-logo-80x22.png"></center><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reporting"></a>Reporting Security Issues</h2></div></div></div><p>There are a number of avenues for reporting security issues to the Jetty project available. |
| If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged. |
| The most direct method is to mail <a class="link" href="mailto:security@webtide.com" target="_top">security@webtide.com</a>. |
| Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method. |
| We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.</p><p>If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to <a class="link" href="mailto:security@eclipse.org" target="_top">security@eclipse.org</a>.</p><p>If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.</p><p>We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as <span class="emphasis"><em>private</em></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><div class="table"><a name="d0e33"></a><p class="title"><b></b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2020/11/17</p></td><td align="left" valign="top"><p>CVE-2020-27218</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>9.4.0.RC0 - 9.4.34, 10.0.0.alpha0 - 10.0.0.beta2, 11.0.0.alpha0 - 11.0.0.beta2</p></td><td align="left" valign="top"><p>9.4.35, 10.0.0.beta3, 11.0.0.beta3</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27218" target="_top">If GZIP request body inflation is enabled and requests |
| from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body.</a></p></td></tr><tr><td align="left" valign="top"><p>2020/10/19</p></td><td align="left" valign="top"><p>CVE-2020-27216</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.32</p></td><td align="left" valign="top"><p>9.3.29, 9.4.33</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27216" target="_top">If using a shared temp directory on UNIX-based systems an attacker could exploit the creation of a randomly generated file or directory allowing them to execute code and allowing for local privilege escalation.</a></p></td></tr><tr><td align="left" valign="top"><p>2020/07/09</p></td><td align="left" valign="top"><p>CVE-2019-17638</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.27, < = 9.4.29</p></td><td align="left" valign="top"><p>9.4.30</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17638" target="_top">In the case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/11/25</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>>= 9.4.21, < = 9.4.23</p></td><td align="left" valign="top"><p>9.4.24</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632" target="_top">The generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518" target="_top">Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9516</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516" target="_top">Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9515</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515" target="_top">Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9514</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" target="_top">Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9512</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" target="_top">Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9511</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" target="_top">Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10247</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247" target="_top">If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10246</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10241</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.15</p></td><td align="left" valign="top"><p>9.2.27, 9.3.26, 9.4.16</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12538</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.0, < = 9.4.8</p></td><td align="left" valign="top"><p>9.4.9</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538" target="_top"><code class="literal">HttpSessions</code> present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12536</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/209.html" target="_top">CWE-202</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536" target="_top"><code class="literal">InvalidPathException</code> Message reveals webapp system path.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7658</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658" target="_top">Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7657</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657" target="_top">HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7656</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656" target="_top">HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).</a></p></td></tr><tr><td align="left" valign="top"><p>2016/05/31</p></td><td align="left" valign="top"><p>CVE-2016-4800</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>= 9.3.0, < = 9.3.8</p></td><td align="left" valign="top"><p>9.3.9</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2016-001.html" target="_top">Alias vulnerability allowing access to protected resources within a webapp on Windows.</a></p></td></tr><tr><td align="left" valign="top"><p>2015/02/24</p></td><td align="left" valign="top"><p><a class="link" href="http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" target="_top">CVE-2015-2080</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.2.3 <9.2.9</p></td><td align="left" valign="top"><p>9.2.9</p></td><td align="left" valign="top"><p>JetLeak exposure of past buffers during HttpParser error</p></td></tr><tr><td align="left" valign="top"><p>2013/11/27</p></td><td align="left" valign="top"><p><a class="link" href="http://en.securitylab.ru/lab/PT-2013-65" target="_top">PT-2013-65</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.0.0 <9.0.5</p></td><td align="left" valign="top"><p>9.0.6 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014" target="_top">418014</a></p></td><td align="left" valign="top"><p>Alias checking disabled by NTFS errors on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2013/07/24</p></td><td align="left" valign="top"><p><a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>>=7.6.9 <9.0.5</p></td><td align="left" valign="top"><p>7.6.13,8.1.13,9.0.5 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>Constraints bypassed if Unix symlink alias checker used on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2011/12/29</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2011-003.html" target="_top">CERT2011-003</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461" target="_top">CVE-2011-4461</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>All versions</p></td><td align="left" valign="top"><p>7.6.0.RCO |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638" target="_top">Jetty-367638</a></p></td><td align="left" valign="top"><p>Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).</p></td></tr><tr><td align="left" valign="top"><p>2009/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/120541" target="_top">CERT2011-003</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" target="_top">CERT2011-003</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>JVM<1.6u19</p></td><td align="left" valign="top"><p>jetty-7.01.v20091125, jetty-6.1.22</p></td><td align="left" valign="top"><p>Work |
| around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 |
| setAllowRenegotiate(true) may be called on connectors.</p></td></tr><tr><td align="left" valign="top"><p>2009/06/18</p></td><td align="left" valign="top"><p>Jetty-1042</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.18, < = 7.0.0.M4</p></td><td align="left" valign="top"><p>6.1.19, 7.0.0.Rc0</p></td><td align="left" valign="top"><p>Cookie leak between |
| requests sharing a connection.</p></td></tr><tr><td align="left" valign="top"><p>2009/04/30</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/402580" target="_top">CERT402580</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.16, < = 7.0.0.M2</p></td><td align="left" valign="top"><p>5.1.15, 6.1.18, 7.0.0.M2</p> |
| <p>Jetty-1004</p></td><td align="left" valign="top"><p>View arbitrary disk content in some specific configurations.</p></td></tr><tr><td align="left" valign="top"><p>2007/12/22</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/553235" target="_top">CERT553235</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672" target="_top">CVE-2007-6672</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>6.1.rrc0-6.1.6</p></td><td align="left" valign="top"><p>6.1.7</p> |
| <p>CERT553235</p></td><td align="left" valign="top"><p>Static content visible in WEB-INF and past security constraints.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/438616" target="_top">CERT438616</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614" target="_top">CVE-2007-5614</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc1 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>Single quote in |
| cookie name.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/237888" target="_top">CERT237888></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613" target="_top">CVE-2007-5613</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>XSS in demo dup |
| servlet.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/03</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/212984" target="_top">CERT212984 |
| ></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615" target="_top">CVE-2007-5615</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>CRLF |
| Response splitting.</p></td></tr><tr><td align="left" valign="top"><p>2006/11/22</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969" target="_top">CVE-2006-6969</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><6.1.0, <6.0.2, <5.1.12, <4.2.27</p></td><td align="left" valign="top"><p>6.1.0pre3, 6.0.2, 5.1.12, |
| 4.2.27</p></td><td align="left" valign="top"><p>Session ID predictability.</p></td></tr><tr><td align="left" valign="top"><p>2006/06/01</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759" target="_top">CVE-2006-2759</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.0.*, <6.0.0Beta17</p></td><td align="left" valign="top"><p>6.0.0Beta17</p></td><td align="left" valign="top"><p>JSP source |
| visibility.</p></td></tr><tr><td align="left" valign="top"><p>2006/01/05</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.10</p></td><td align="left" valign="top"><p>5.1.10</p></td><td align="left" valign="top"><p>Fixed //security |
| constraint bypass on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2005/11/18</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758" target="_top">CVE-2006-2758</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.6</p></td><td align="left" valign="top"><p>5.1.6, 6.0.0Beta4</p></td><td align="left" valign="top"><p>JSP source visibility.</p></td></tr><tr><td align="left" valign="top"><p>2004/02/04</p></td><td align="left" valign="top"><p>JSSE 1.0.3_01</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><4.2.7</p></td><td align="left" valign="top"><p>4.2.7</p></td><td align="left" valign="top"><p>Upgraded JSSE |
| to obtain downstream security fix.</p></td></tr><tr><td align="left" valign="top"><p>2002/09/22</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><4.1.0</p></td><td align="left" valign="top"><p>4.1.0</p></td><td align="left" valign="top"><p>Fixed CGI servlet remove |
| exploit.</p></td></tr><tr><td align="left" valign="top"><p>2002/03/12</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p><3.1.7</p></td><td align="left" valign="top"><p>4.0.RC2, 3.1.7</p></td><td align="left" valign="top"><p>Fixed // security |
| constraint bypass.</p></td></tr><tr><td align="left" valign="top"><p>2001/10/21</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><3.1.3</p></td><td align="left" valign="top"><p>3.1.3</p></td><td align="left" valign="top"><p>Fixed trailing null security |
| constraint bypass.</p></td></tr></tbody></table></div></div><br class="table-break"></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-processes"></a>Jetty Security Processes</h2></div></div></div><p>While Webtide works diligently to make Jetty as issue-free as possible, with the rapid pace of updates to technology and standards, there is always the possibility that a bug or vulnerability can be found. |
| This is compounded by the fact that Jetty operates as a platform, and as such cannot account for all the permutations and combinations of configurations that users may make to it. |
| What follows is the process by which we address security vulnerabilities.</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you suspect you have found a security issue, please do not report it publicly. Instead, send an email to <a class="link" href="mailto:security@webtide.com" target="_top">security@webtide.com</a>.</p></div><div class="orderedlist"><ol class="orderedlist" type="1"><li class="listitem">On receipt of a security report via <a class="link" href="mailto:security@webtide.com" target="_top">security@webtide.com</a> or other channels, if it cannot be trivially dismissed (already fixed, known not a problem, etc.), then a <a class="link" href="https://github.com/eclipse/jetty.project/security/advisories?state=published" target="_top">Github security advisory</a> is created by project leadership.</li><li class="listitem">Jetty committers and the reporters are added to the security advisory. Individual committers can also be named in the comments for addition.</li><li class="listitem">Initial triage and discussion are performed in the comments of the advisory.</li><li class="listitem">If enough information exists to attempt reproduction or fix, then a private repository is created as part of the GitHub security advisory.</li><li class="listitem">If the vulnerability cannot be confirmed then close the security advisory, else continue.</li><li class="listitem">Generate a <a class="link" href="https://www.first.org/cvss/calculator/3.0" target="_top">CVE score</a> and add it to the advisory description.</li><li class="listitem">Identify a <a class="link" href="https://cwe.mitre.org/data/definitions/699.html" target="_top">CWE Definition</a> and add it to the advisory description.</li><li class="listitem">Identify vulnerable version(s), including current and past versions that are affected (e.g. 9.4.0 through 9.4.35, and 10.0.0.alpha1 through 10.0.0.beta3…​etc.)</li><li class="listitem">Identify and document workaround(s), if applicable, in the comments of the security advisory.</li><li class="listitem"><p class="simpara">Open an <a class="link" href="https://bugs.eclipse.org/bugs/" target="_top">Eclipse Bugzilla</a> to get a CVE allocated. Should be opened under the <span class="emphasis"><em>Community</em></span> "Product" category with a "Component" of <span class="emphasis"><em>Vulnerability Reports</em></span>. The CVE <a class="link" href="https://www.eclipse.org/projects/handbook/#vulnerability-cve" target="_top">should include</a> the following:</p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem">Version(s) affected</li><li class="listitem">CVE Score</li><li class="listitem">CWE Identifier(s)</li><li class="listitem">Brief description of the issue</li></ol></div></li><li class="listitem">Once the CVE is allocated update the Security Advisory with the number</li><li class="listitem">Build and test fix(es) locally and in CI environment.</li><li class="listitem">Merge tests and fix - ensure description does not mention vulnerability directly.</li><li class="listitem">Build and stage release candidate.</li><li class="listitem"><p class="simpara">Notify interested parties of pending security advisory and staged release:</p><div class="orderedlist"><ol class="orderedlist" type="a"><li class="listitem">Include CVE number, CVE score, and CWE</li><li class="listitem">Include Workarounds</li><li class="listitem">Stress that it is confidential</li><li class="listitem">Advise the security advisory will be published in 2 days unless they indicate they need more time.</li></ol></div></li><li class="listitem">If testing is OK, then the release is promoted.</li><li class="listitem">Interested parties are notified of the availability of release on Maven Central.</li><li class="listitem">Publish security advisory and CVE publicly.</li><li class="listitem">Edit VERSION.txt and so that the CVE number is now recorded against merged PR.</li><li class="listitem">Edit release on Github to identify CVE number.</li></ol></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="_a_note_on_releases"></a>A Note On Releases</h3></div></div></div><p>Jetty has a comprehensive test catalog that covers not only functionality but also standard configuration errors that users can make which may result in instability.</p><p>When a new version of Jetty is ready to be built it undergoes rigorous testing throughout the Webtide infrastructure to make sure that it both compiles and builds successfully but that it also runs without errors and functions as expected. |
| Webtide uses Jetty for several of its own backend servers and web applications and new builds are tested against these before a release candidate ever moves forward for public availability.</p><p>In addition to our own testing, Webtide works with several partners who have opted to test and install early release builds in their environments. |
| These partners test not only Jetty as a platform but install their web applications and perform security and penetration testing against these builds.</p><p>Once internal and partner testing is complete, a process that generally takes several days, the Webtide team moves forward with public releases. R |
| elease notes are sent out, and builds are promoted to Maven Central.</p></div></div></div></div><div id="rightcolumn"><div class="sideitem"><h6>Quick Links</h6><ul><li><a href="http://www.eclipse.org/projects/project_summary.php?projectid=rt.jetty" target="_self">Project Summary</a></li><li><a href="/jetty/download.html" target="_self">Download</a></li><li><a href="/jetty/documentation/current" target="_self">Current Documentation</a></li><li><a href="/jetty/javadoc/current" target="_self">Current API Documentation</a></li><li><a href="https://github.com/eclipse/jetty.project/issues/new" target="_self">Enter Bug</a></li><li><a href="https://github.com/eclipse/jetty.project/issues" target="_self">Reported Bugs</a></li></ul></div><div class="sideitem"><h6>Active Contributors</h6><div style="position: relative; height: 50px;"><a href="http://www.webtide.com/" target="_blank" title=""><img alt="" src="https://www.eclipse.org/jetty/images/webtide-dark.png" style="position: absolute; left: 10px; top: 10px; width: 150px; height: auto;"></a></div></div></div></div></main><footer role="contentinfo" id="solstice-footer"><div class="container"><div class="row"><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-eclipse-foundation"><h2 class="section-title">Eclipse Foundation</h2><ul class="nav"><li><a href="https://www.eclipse.org/org/">About us</a></li><li><a href="https://www.eclipse.org/org/foundation/contact.php">Contact Us</a></li><li><a href="https://www.eclipse.org/donate">Donate</a></li><li><a href="https://www.eclipse.org/org/documents/">Governance</a></li><li><a href="https://www.eclipse.org/artwork/">Logo and Artwork</a></li><li><a href="https://www.eclipse.org/org/foundation/directors.php">Board of Directors</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-legal"><h2 class="section-title">Legal</h2><ul class="nav"><li><a href="https://www.eclipse.org/legal/privacy.php">Privacy Policy</a></li><li><a href="https://www.eclipse.org/legal/termsofuse.php">Terms of Use</a></li><li><a href="https://www.eclipse.org/legal/copyright.php">Copyright Agent</a></li><li><a href="https://www.eclipse.org/org/documents/epl-v10.php">Eclipse Public License </a></li><li><a href="https://www.eclipse.org/legal/">Legal Resources </a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-useful-links"><h2 class="section-title">Useful Links</h2><ul class="nav"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="//help.eclipse.org/">Documentation</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="//marketplace.eclipse.org">Marketplace</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-other"><h2 class="section-title">Other</h2><ul class="nav"><li><a href="https://www.eclipse.org/ide/">IDE and Tools</a></li><li><a href="https://www.eclipse.org/projects">Community of Projects</a></li><li><a href="https://www.eclipse.org/org/workinggroups/">Working Groups</a></li></ul><ul class="list-inline social-media"><li><a href="https://twitter.com/EclipseFdn"><i class="fa fa-twitter-square"></i></a></li><li><a href="https://plus.google.com/+Eclipse"><i class="fa fa-google-plus-square"></i></a></li><li><a href="https://www.facebook.com/eclipse.org"><i class="fa fa-facebook-square"></i></a></li><li><a href="https://www.youtube.com/user/EclipseFdn"><i class="fa fa-youtube-square"></i></a></li></ul></section><div id="copyright" class="col-sm-offset-1 col-sm-14 col-md-24 col-md-offset-0"><span class="hidden-print"><div class="wrapper-logo-eclipse-white"><a href="https://www.eclipse.org"><img class="logo-eclipse-white img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-logo-bw-332x78.png"></a></div></span><p id="copyright-text">Copyright © 2016 The Eclipse Foundation. All Rights Reserved.</p></div><a href="#" class="scrollup">Back to the top</a></div></div></footer></body></html> |
