| <html><head> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
| <title>Jetty Security Reports</title><link rel="stylesheet" type="text/css" href="css/docbook.css"><meta name="generator" content="DocBook XSL Stylesheets V1.79.1"><meta name="keywords" content="jetty, servlet, servlet-api, cometd, http, websocket, eclipse, maven, java, server, software"><link rel="home" href="index.html" title="Jetty"><link rel="up" href="troubleshooting.html" title="Chapter 33. Troubleshooting"><link rel="prev" href="troubleshooting-slow-deployment.html" title="Troubleshooting Slow Deployment"><link rel="next" href="advanced-debugging.html" title="Chapter 34. Debugging"><link xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" rel="shortcut icon" href="images/favicon.ico"><link rel="stylesheet" href="css/highlighter/foundation.css"><script src="js/highlight.pack.js"></script><script> |
| hljs.initHighlightingOnLoad(); |
| </script><link type="text/css" rel="stylesheet" href="css/font-awesome/font-awesome.min.css"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><table xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><tr><td style="width: 25%"><a href="http://www.eclipse.org/jetty"><img src="images/jetty-header-logo.png" alt="Jetty Logo"></a><br><span style="font-size: small"> |
| Version: 9.3.28.v20191105</span></td><td style="width: 50%"></td></tr></table><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Jetty Security Reports</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="troubleshooting-slow-deployment.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><th width="60%" align="center">Chapter 33. Troubleshooting<br><a accesskey="p" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></th><td width="20%" align="right"> <a accesskey="n" href="advanced-debugging.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr></table><hr></div><div xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times" class="jetty-callout"><h5 class="callout"><a href="http://www.webtide.com/">Contact the core Jetty developers at |
| <span class="website">www.webtide.com</span></a></h5><p> |
| private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... |
| scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development |
| </p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><p>If you would like to report a security issue please follow these <a class="link" href="security-reporting.html" title="Reporting Security Issues">instructions</a>.</p><div class="table"><a name="d0e28920"></a><p class="title"><b>Table 33.1. Resolved Issues</b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12538</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.0, < = 9.4.8</p></td><td align="left" valign="top"><p>9.4.9</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538" target="_top"><code class="literal">HttpSessions</code> present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12536</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/209.html" target="_top">CWE-202</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536" target="_top"><code class="literal">InvalidPathException</code> Message reveals webapp system path.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7658</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658" target="_top">Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7657</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657" target="_top">HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7656</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656" target="_top">HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).</a></p></td></tr><tr><td align="left" valign="top"><p>2016/05/31</p></td><td align="left" valign="top"><p>CVE-2016-4800</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>= 9.3.0, < = 9.3.8</p></td><td align="left" valign="top"><p>9.3.9</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2016-001.html" target="_top">Alias vulnerability allowing access to protected resources within a webapp on Windows.</a></p></td></tr><tr><td align="left" valign="top"><p>2015/02/24</p></td><td align="left" valign="top"><p>CVE-2015-2080</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.2.3 <9.2.9</p></td><td align="left" valign="top"><p>9.2.9</p></td><td align="left" valign="top"><p><a class="link" href="http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" target="_top">JetLeak exposure of past buffers during HttpParser error</a></p></td></tr><tr><td align="left" valign="top"><p>2013/11/27</p></td><td align="left" valign="top"><p><a class="link" href="http://en.securitylab.ru/lab/PT-2013-65" target="_top">PT-2013-65</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.0.0 <9.0.5</p></td><td align="left" valign="top"><p>9.0.6 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014" target="_top">418014</a></p></td><td align="left" valign="top"><p>Alias checking disabled by NTFS errors on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2013/07/24</p></td><td align="left" valign="top"><p><a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>>=7.6.9 <9.0.5</p></td><td align="left" valign="top"><p>7.6.13,8.1.13,9.0.5 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>Constraints bypassed if Unix symlink alias checker used on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2011/12/29</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2011-003.html" target="_top">CERT2011-003</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461" target="_top">CVE-2011-4461</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>All versions</p></td><td align="left" valign="top"><p>7.6.0.RCO |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638" target="_top">Jetty-367638</a></p></td><td align="left" valign="top"><p>Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).</p></td></tr><tr><td align="left" valign="top"><p>2009/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/120541" target="_top">CERT2011-003</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" target="_top">CERT2011-003</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>JVM<1.6u19</p></td><td align="left" valign="top"><p>jetty-7.01.v20091125, jetty-6.1.22</p></td><td align="left" valign="top"><p>Work |
| around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 |
| setAllowRenegotiate(true) may be called on connectors.</p></td></tr><tr><td align="left" valign="top"><p>2009/06/18</p></td><td align="left" valign="top"><p><a class="link" href="http://jira.codehaus.org/browse/JETTY-1042" target="_top">Jetty-1042</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.18, < = 7.0.0.M4</p></td><td align="left" valign="top"><p>6.1.19, 7.0.0.Rc0</p></td><td align="left" valign="top"><p>Cookie leak between |
| requests sharing a connection.</p></td></tr><tr><td align="left" valign="top"><p>2009/04/30</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/402580" target="_top">CERT402580</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.16, < = 7.0.0.M2</p></td><td align="left" valign="top"><p>5.1.15, 6.1.18, 7.0.0.M2</p> |
| <p><a class="link" href="http://jira.codehaus.org/browse/JETTY-1004" target="_top">Jetty-1004</a></p></td><td align="left" valign="top"><p>View arbitrary disk content in some specific configurations.</p></td></tr><tr><td align="left" valign="top"><p>2007/12/22</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/553235" target="_top">CERT553235</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672" target="_top">CVE-2007-6672</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>6.1.rrc0-6.1.6</p></td><td align="left" valign="top"><p>6.1.7</p> |
| <p><a class="link" href="http://jira.codehaus.org/browse/JETTY-386" target="_top">CERT553235</a></p></td><td align="left" valign="top"><p>Static content visible in WEB-INF and past security constraints.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/438616" target="_top">CERT438616</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614" target="_top">CVE-2007-5614</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc1 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>Single quote in |
| cookie name.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/237888" target="_top">CERT237888></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613" target="_top">CVE-2007-5613</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>XSS in demo dup |
| servlet.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/03</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/212984" target="_top">CERT212984 |
| ></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615" target="_top">CVE-2007-5615</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>CRLF |
| Response splitting.</p></td></tr><tr><td align="left" valign="top"><p>2006/11/22</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969" target="_top">CVE-2006-6969</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><6.1.0, <6.0.2, <5.1.12, <4.2.27</p></td><td align="left" valign="top"><p>6.1.0pre3, 6.0.2, 5.1.12, |
| 4.2.27</p></td><td align="left" valign="top"><p>Session ID predictability.</p></td></tr><tr><td align="left" valign="top"><p>2006/06/01</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759" target="_top">CVE-2006-2759</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.0.*, <6.0.0Beta17</p></td><td align="left" valign="top"><p>6.0.0Beta17</p></td><td align="left" valign="top"><p>JSP source |
| visibility.</p></td></tr><tr><td align="left" valign="top"><p>2006/01/05</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.10</p></td><td align="left" valign="top"><p>5.1.10</p></td><td align="left" valign="top"><p>Fixed //security |
| constraint bypass on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2005/11/18</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758" target="_top">CVE-2006-2758</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.6</p></td><td align="left" valign="top"><p>5.1.6, 6.0.0Beta4</p></td><td align="left" valign="top"><p>JSP source visibility.</p></td></tr><tr><td align="left" valign="top"><p>2004/02/04</p></td><td align="left" valign="top"><p>JSSE 1.0.3_01</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><4.2.7</p></td><td align="left" valign="top"><p>4.2.7</p></td><td align="left" valign="top"><p>Upgraded JSSE |
| to obtain downstream security fix.</p></td></tr><tr><td align="left" valign="top"><p>2002/09/22</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><4.1.0</p></td><td align="left" valign="top"><p>4.1.0</p></td><td align="left" valign="top"><p>Fixed CGI servlet remove |
| exploit.</p></td></tr><tr><td align="left" valign="top"><p>2002/03/12</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p><3.1.7</p></td><td align="left" valign="top"><p>4.0.RC2, 3.1.7</p></td><td align="left" valign="top"><p>Fixed // security |
| constraint bypass.</p></td></tr><tr><td align="left" valign="top"><p>2001/10/21</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><3.1.3</p></td><td align="left" valign="top"><p>3.1.3</p></td><td align="left" valign="top"><p>Fixed trailing null security |
| constraint bypass.</p></td></tr></tbody></table></div></div><br class="table-break"></div><script type="text/javascript"> |
| SyntaxHighlighter.all() |
| </script><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="troubleshooting-slow-deployment.html"><i class="fa fa-chevron-left" aria-hidden="true"></i> Previous</a> </td><td width="20%" align="center"><a accesskey="u" href="troubleshooting.html"><i class="fa fa-chevron-up" aria-hidden="true"></i> Top</a></td><td width="40%" align="right"> <a accesskey="n" href="advanced-debugging.html">Next <i class="fa fa-chevron-right" aria-hidden="true"></i></a></td></tr><tr><td width="40%" align="left" valign="top">Troubleshooting Slow Deployment </td><td width="20%" align="center"><a accesskey="h" href="index.html"><i class="fa fa-home" aria-hidden="true"></i> Home</a></td><td width="40%" align="right" valign="top"> Chapter 34. Debugging</td></tr></table></div><p xmlns:jfetch="java:org.eclipse.jetty.xslt.tools.JavaSourceFetchExtension" xmlns:fetch="java:org.eclipse.jetty.xslt.tools.SourceFetchExtension" xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><div class="jetty-callout"> |
| See an error or something missing? |
| <span class="callout"><a href="http://github.com/eclipse/jetty.project">Contribute to this documentation at |
| <span class="website"><i class="fa fa-github" aria-hidden="true"></i> Github!</span></a></span><span style="float: right"><i>(Generated: 2019-11-05)</i></span></div></p></body></html> |