Google Git
Sign in
eclipse / www.eclipse.org / jetty / f492109d55aa783e4fb41d75d771a794a5a87b42 / . / security-reports.html
blob: 1dc757c4e97d2f66a45a5f0840d0037c44cfe228 [file] [log] [blame]
<html xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<link rel="home" href="security-reports.html" title="Reporting Security Issues"><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="author" content="jmcconnell"><meta name="keywords" content="Jetty, Servlets, Async, SPDY, Web Server, Web Client, Eclipse RT, Eclipse Runtime"><link href="//fonts.googleapis.com/css?family=Open+Sans:400,700,300,600,100" rel="stylesheet" type="text/css"><link rel="shortcut icon" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/favicon.ico"><title>Jetty - Servlet Engine and Http Server</title><link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/styles.min.css"><meta property="og:description" content="Jetty is a highly scalable modular servlet engine and http server that natively supports many modern protocols like SPDY and WebSockets."><meta property="og:image" content="https://www.eclipse.org/jetty/images/jetty-logo-80x22.png"><meta property="og:title" content="Jetty - Servlet Engine and Http Server"><link rel="stylesheet" type="text/css" href="/jetty/css/jetty.css"><link rel="stylesheet" type="text/css" href="/jetty/css/docbook.css"><link rel="stylesheet" type="text/css" href="/jetty/css/styles.min.css"></head><body id="body-solstice"><a class="sr-only" href="#content">Skip to main content</a><div class="clearfix toolbar-container-wrapper"><div class="container"><div class="text-right toolbar-row row hidden-print"><div class="col-md-24 row-toolbar-col"><ul class="list-inline"><li><a href="https://dev.eclipse.org/site_login/createaccount.php"><i class="fa fa-user fa-fw"></i> Create account</a></li><li><a href="https://dev.eclipse.org/site_login/?takemeback=https://www.eclipse.org/jetty/"><i class="fa fa-sign-in fa-fw"></i> Log in</a></li></ul></div></div></div></div><header role="banner" id="header-wrapper"><div class="container"><div class="row" id="header-row"><div class="hidden-xs col-sm-8 col-md-6 col-lg-5" id="header-left"><div class="wrapper-logo-default"><a href="https://www.eclipse.org/"><img class="logo-eclipse-default img-responsive hidden-xs" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-426x100.png"></a></div></div><div class="col-sm-10 col-md-8 col-lg-5 hidden-print hidden-xs pull-right" id="header-right"><div id="btn-call-for-action"><a href="https://www.eclipse.org/donate/" class="btn btn-huge btn-info"><i class="fa fa-star"></i> Donate</a></div></div><div class="col-sm-14 col-md-16 col-lg-19 reset" id="main-menu-wrapper"><div class="navbar yamm" id="main-menu"><div id="navbar-collapse-1" class="navbar-collapse collapse"><ul class="nav navbar-nav"><li class="visible-thin"><a href="https://www.eclipse.org/downloads/" target="_self">Download</a></li><li><a href="https://www.eclipse.org/users/" target="_self">Getting Started</a></li><li><a href="https://www.eclipse.org/membership/" target="_self">Members</a></li><li><a href="https://www.eclipse.org/projects/" target="_self">Projects</a></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Community <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Participate <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Working Groups <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></li><li class="dropdown eclipse-more hidden-xs"><a data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a><ul class="dropdown-menu"><li><div class="yamm-content"><div class="row"><ul class="col-sm-8 list-unstyled"><li><p><strong>Community</strong></p></li><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Participate</strong></p></li><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Working Groups</strong></p></li><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></div></div></li></ul></li></ul></div><div class="navbar-header"><button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-collapse-1"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="wrapper-logo-mobile"><a class="navbar-brand visible-xs" href="https://www.eclipse.org/"><img class="logo-eclipse-default-mobile img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-800x188.png"></a></div></div></div></div></div></div></header><section class="hidden-print default-breadcrumbs" id="breadcrumb"><div class="container"><h3 class="sr-only">Breadcrumbs</h3><div class="col-xs-24"><ol class="breadcrumb"><li><a href="https://www.eclipse.org/">Home</a></li><li><a href="https://www.eclipse.org/projects/">Projects</a></li><li><a href="https://www.eclipse.org/jetty">jetty</a></li></ol></div></div></section><main class="no-promo"><div class="novaContent container" id="novaContent"><aside id="leftcol" class="col-md-4"><ul id="leftnav" class="ul-left-nav fa-ul hidden-print"><li class="separator"><a class="separator" href="/jetty/index.html">Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/about.html" target="_self">About Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/powered" target="_self">Jetty Powered</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/licenses.html" target="_self">Licenses</a></li><li class="separator">Resources</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/download.html" target="_self">Downloads</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation" target="_self">Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/javadoc" target="_self">API Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/security-reports.html" target="_self">Security Reports</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/jetty-maven-plugin.html" target="_self">Maven Plugin</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/mailinglists.html" target="_self">Mailing Lists</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://webtide.com/blogs" target="_self">Blogs</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A31" target="_self">Eclipse Tooling</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/tools.html" target="_self">Tools</a></li><li class="separator">Project Management</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/advanced-contributing.html#community" target="_self">Community</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/contributing-patches.html" target="_self">Contributing</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://www.eclipse.org/projects/ip_log.php?projectid=rt.jetty" target="_self">IP Log</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://github.com/eclipse/jetty.project" target="_self">Source</a></li><li class="separator">Professional Services</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A34" target="_self">Training and Consulting</a></li></ul></aside><div id="maincontent"><div id="midcolumn"><center><img src="/jetty/images/jetty-logo-80x22.png"></center><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reporting"></a>Reporting Security Issues</h2></div></div></div><p>There are a number of avenues for reporting security issues to the Jetty project available.
If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged.
The most direct method is to mail <span class="emphasis"><em>security@webtide.com</em></span>.
Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method.
We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.</p><p>If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to <span class="emphasis"><em>security@eclipse.org</em></span>.</p><p>If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.</p><p>We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as <span class="emphasis"><em>private</em></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><div class="table"><a name="d31e33"></a><p class="title"><b></b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2019/11/25</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&gt;= 9.4.21, &lt; = 9.4.23</p></td><td align="left" valign="top"><p>9.4.24</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632" target="_top">The generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518" target="_top">Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9516</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516" target="_top">Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9515</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515" target="_top">Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9514</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" target="_top">Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9512</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" target="_top">Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9511</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>&lt; = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" target="_top">Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10247</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>&lt; = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247" target="_top">If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10246</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>&lt; = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10241</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>&lt; = 9.4.15</p></td><td align="left" valign="top"><p>9.2.27, 9.3.26, 9.4.16</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12538</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>&gt;= 9.4.0, &lt; = 9.4.8</p></td><td align="left" valign="top"><p>9.4.9</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538" target="_top"><code class="literal">HttpSessions</code> present specifically in the FileSystem&#8217;s storage could be hijacked/accessed by an unauthorized user.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12536</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/209.html" target="_top">CWE-202</a></p></td><td align="left" valign="top"><p>&lt; = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536" target="_top"><code class="literal">InvalidPathException</code> Message reveals webapp system path.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7658</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>&lt; = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658" target="_top">Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7657</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>&lt; = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657" target="_top">HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7656</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>&lt; = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656" target="_top">HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).</a></p></td></tr><tr><td align="left" valign="top"><p>2016/05/31</p></td><td align="left" valign="top"><p>CVE-2016-4800</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&gt;= 9.3.0, &lt; = 9.3.8</p></td><td align="left" valign="top"><p>9.3.9</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2016-001.html" target="_top">Alias vulnerability allowing access to protected resources within a webapp on Windows.</a></p></td></tr><tr><td align="left" valign="top"><p>2015/02/24</p></td><td align="left" valign="top"><p><a class="link" href="http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" target="_top">CVE-2015-2080</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&gt;=9.2.3 &lt;9.2.9</p></td><td align="left" valign="top"><p>9.2.9</p></td><td align="left" valign="top"><p>JetLeak exposure of past buffers during HttpParser error</p></td></tr><tr><td align="left" valign="top"><p>2013/11/27</p></td><td align="left" valign="top"><p><a class="link" href="http://en.securitylab.ru/lab/PT-2013-65" target="_top">PT-2013-65</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&gt;=9.0.0 &lt;9.0.5</p></td><td align="left" valign="top"><p>9.0.6
<a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014" target="_top">418014</a></p></td><td align="left" valign="top"><p>Alias checking disabled by NTFS errors on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2013/07/24</p></td><td align="left" valign="top"><p><a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&gt;=7.6.9 &lt;9.0.5</p></td><td align="left" valign="top"><p>7.6.13,8.1.13,9.0.5
<a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>Constraints bypassed if Unix symlink alias checker used on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2011/12/29</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2011-003.html" target="_top">CERT2011-003</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461" target="_top">CVE-2011-4461</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>All versions</p></td><td align="left" valign="top"><p>7.6.0.RCO
<a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638" target="_top">Jetty-367638</a></p></td><td align="left" valign="top"><p>Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).</p></td></tr><tr><td align="left" valign="top"><p>2009/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/120541" target="_top">CERT2011-003</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" target="_top">CERT2011-003</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>JVM&lt;1.6u19</p></td><td align="left" valign="top"><p>jetty-7.01.v20091125, jetty-6.1.22</p></td><td align="left" valign="top"><p>Work
around by turning off SSL renegotiation in Jetty. If using JVM &gt; 1.6u19
setAllowRenegotiate(true) may be called on connectors.</p></td></tr><tr><td align="left" valign="top"><p>2009/06/18</p></td><td align="left" valign="top"><p>Jetty-1042</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&lt; = 6.1.18, &lt; = 7.0.0.M4</p></td><td align="left" valign="top"><p>6.1.19, 7.0.0.Rc0</p></td><td align="left" valign="top"><p>Cookie leak between
requests sharing a connection.</p></td></tr><tr><td align="left" valign="top"><p>2009/04/30</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/402580" target="_top">CERT402580</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&lt; = 6.1.16, &lt; = 7.0.0.M2</p></td><td align="left" valign="top"><p>5.1.15, 6.1.18, 7.0.0.M2</p>
<p>Jetty-1004</p></td><td align="left" valign="top"><p>View arbitrary disk content in some specific configurations.</p></td></tr><tr><td align="left" valign="top"><p>2007/12/22</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/553235" target="_top">CERT553235</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672" target="_top">CVE-2007-6672</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>6.1.rrc0-6.1.6</p></td><td align="left" valign="top"><p>6.1.7</p>
<p>CERT553235</p></td><td align="left" valign="top"><p>Static content visible in WEB-INF and past security constraints.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/438616" target="_top">CERT438616</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614" target="_top">CVE-2007-5614</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>&lt;6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc1 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>Single quote in
cookie name.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/237888" target="_top">CERT237888&gt;</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613" target="_top">CVE-2007-5613</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>&lt;6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>XSS in demo dup
servlet.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/03</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/212984" target="_top">CERT212984
&gt;</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615" target="_top">CVE-2007-5615</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&lt;6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>CRLF
Response splitting.</p></td></tr><tr><td align="left" valign="top"><p>2006/11/22</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969" target="_top">CVE-2006-6969</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&lt;6.1.0, &lt;6.0.2, &lt;5.1.12, &lt;4.2.27</p></td><td align="left" valign="top"><p>6.1.0pre3, 6.0.2, 5.1.12,
4.2.27</p></td><td align="left" valign="top"><p>Session ID predictability.</p></td></tr><tr><td align="left" valign="top"><p>2006/06/01</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759" target="_top">CVE-2006-2759</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&lt;6.0.*, &lt;6.0.0Beta17</p></td><td align="left" valign="top"><p>6.0.0Beta17</p></td><td align="left" valign="top"><p>JSP source
visibility.</p></td></tr><tr><td align="left" valign="top"><p>2006/01/05</p></td><td align="left" valign="top">&nbsp;</td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&lt;5.1.10</p></td><td align="left" valign="top"><p>5.1.10</p></td><td align="left" valign="top"><p>Fixed //security
constraint bypass on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2005/11/18</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758" target="_top">CVE-2006-2758</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&lt;5.1.6</p></td><td align="left" valign="top"><p>5.1.6, 6.0.0Beta4</p></td><td align="left" valign="top"><p>JSP source visibility.</p></td></tr><tr><td align="left" valign="top"><p>2004/02/04</p></td><td align="left" valign="top"><p>JSSE 1.0.3_01</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>&lt;4.2.7</p></td><td align="left" valign="top"><p>4.2.7</p></td><td align="left" valign="top"><p>Upgraded JSSE
to obtain downstream security fix.</p></td></tr><tr><td align="left" valign="top"><p>2002/09/22</p></td><td align="left" valign="top">&nbsp;</td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&lt;4.1.0</p></td><td align="left" valign="top"><p>4.1.0</p></td><td align="left" valign="top"><p>Fixed CGI servlet remove
exploit.</p></td></tr><tr><td align="left" valign="top"><p>2002/03/12</p></td><td align="left" valign="top">&nbsp;</td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top">&nbsp;</td><td align="left" valign="top"><p>&lt;3.1.7</p></td><td align="left" valign="top"><p>4.0.RC2, 3.1.7</p></td><td align="left" valign="top"><p>Fixed // security
constraint bypass.</p></td></tr><tr><td align="left" valign="top"><p>2001/10/21</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top">&nbsp;</td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>&lt;3.1.3</p></td><td align="left" valign="top"><p>3.1.3</p></td><td align="left" valign="top"><p>Fixed trailing null security
constraint bypass.</p></td></tr></tbody></table></div></div><br class="table-break"></div></div></div><div id="rightcolumn"><div class="sideitem"><h6>Quick Links</h6><ul><li><a href="http://www.eclipse.org/projects/project_summary.php?projectid=rt.jetty" target="_self">Project Summary</a></li><li><a href="/jetty/download.html" target="_self">Download</a></li><li><a href="/jetty/documentation/current" target="_self">Current Documentation</a></li><li><a href="/jetty/javadoc/current" target="_self">Current API Documentation</a></li><li><a href="https://github.com/eclipse/jetty.project/issues/new" target="_self">Enter Bug</a></li><li><a href="https://github.com/eclipse/jetty.project/issues" target="_self">Reported Bugs</a></li></ul></div><div class="sideitem"><h6>Active Contributors</h6><div style="position: relative; height: 50px;"><a href="http://www.webtide.com/" target="_blank" title=""><img alt="" src="https://www.eclipse.org/jetty/images/webtide-dark.png" style="position: absolute; left: 10px; top: 10px; width: 150px; height: auto;"></a></div></div></div></div></main><footer role="contentinfo" id="solstice-footer"><div class="container"><div class="row"><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-eclipse-foundation"><h2 class="section-title">Eclipse Foundation</h2><ul class="nav"><li><a href="https://www.eclipse.org/org/">About us</a></li><li><a href="https://www.eclipse.org/org/foundation/contact.php">Contact Us</a></li><li><a href="https://www.eclipse.org/donate">Donate</a></li><li><a href="https://www.eclipse.org/org/documents/">Governance</a></li><li><a href="https://www.eclipse.org/artwork/">Logo and Artwork</a></li><li><a href="https://www.eclipse.org/org/foundation/directors.php">Board of Directors</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-legal"><h2 class="section-title">Legal</h2><ul class="nav"><li><a href="https://www.eclipse.org/legal/privacy.php">Privacy Policy</a></li><li><a href="https://www.eclipse.org/legal/termsofuse.php">Terms of Use</a></li><li><a href="https://www.eclipse.org/legal/copyright.php">Copyright Agent</a></li><li><a href="https://www.eclipse.org/org/documents/epl-v10.php">Eclipse Public License </a></li><li><a href="https://www.eclipse.org/legal/">Legal Resources </a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-useful-links"><h2 class="section-title">Useful Links</h2><ul class="nav"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="//help.eclipse.org/">Documentation</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="//marketplace.eclipse.org">Marketplace</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-other"><h2 class="section-title">Other</h2><ul class="nav"><li><a href="https://www.eclipse.org/ide/">IDE and Tools</a></li><li><a href="https://www.eclipse.org/projects">Community of Projects</a></li><li><a href="https://www.eclipse.org/org/workinggroups/">Working Groups</a></li></ul><ul class="list-inline social-media"><li><a href="https://twitter.com/EclipseFdn"><i class="fa fa-twitter-square"></i></a></li><li><a href="https://plus.google.com/+Eclipse"><i class="fa fa-google-plus-square"></i></a></li><li><a href="https://www.facebook.com/eclipse.org"><i class="fa fa-facebook-square"></i></a></li><li><a href="https://www.youtube.com/user/EclipseFdn"><i class="fa fa-youtube-square"></i></a></li></ul></section><div id="copyright" class="col-sm-offset-1 col-sm-14 col-md-24 col-md-offset-0"><span class="hidden-print"><div class="wrapper-logo-eclipse-white"><a href="https://www.eclipse.org"><img class="logo-eclipse-white img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-logo-bw-332x78.png"></a></div></span><p id="copyright-text">Copyright &copy; 2016 The Eclipse Foundation. All Rights Reserved.</p></div><a href="#" class="scrollup">Back to the top</a></div></div></footer></body></html>