| <html xmlns:d="http://docbook.org/ns/docbook" xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0" xmlns:xslthl="http://xslthl.sf.net" xmlns:gcse="http://www.google.com" xmlns:date="http://exslt.org/dates-and-times"><head> |
| <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
| <link rel="home" href="security-reports.html" title="Reporting Security Issues"><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><meta name="author" content="jmcconnell"><meta name="keywords" content="Jetty, Servlets, Async, SPDY, Web Server, Web Client, Eclipse RT, Eclipse Runtime"><link href="//fonts.googleapis.com/css?family=Open+Sans:400,700,300,600,100" rel="stylesheet" type="text/css"><link rel="shortcut icon" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/favicon.ico"><title>Jetty - Servlet Engine and Http Server</title><link rel="stylesheet" href="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/stylesheets/styles.min.css"><meta property="og:description" content="Jetty is a highly scalable modular servlet engine and http server that natively supports many modern protocols like SPDY and WebSockets."><meta property="og:image" content="https://www.eclipse.org/jetty/images/jetty-logo-80x22.png"><meta property="og:title" content="Jetty - Servlet Engine and Http Server"><link rel="stylesheet" type="text/css" href="/jetty/css/jetty.css"><link rel="stylesheet" type="text/css" href="/jetty/css/docbook.css"><link rel="stylesheet" type="text/css" href="/jetty/css/styles.min.css"></head><body id="body-solstice"><a class="sr-only" href="#content">Skip to main content</a><div class="clearfix toolbar-container-wrapper"><div class="container"><div class="text-right toolbar-row row hidden-print"><div class="col-md-24 row-toolbar-col"><ul class="list-inline"><li><a href="https://dev.eclipse.org/site_login/createaccount.php"><i class="fa fa-user fa-fw"></i> Create account</a></li><li><a href="https://dev.eclipse.org/site_login/?takemeback=https://www.eclipse.org/jetty/"><i class="fa fa-sign-in fa-fw"></i> Log in</a></li></ul></div></div></div></div><header role="banner" id="header-wrapper"><div class="container"><div class="row" id="header-row"><div class="hidden-xs col-sm-8 col-md-6 col-lg-5" id="header-left"><div class="wrapper-logo-default"><a href="https://www.eclipse.org/"><img class="logo-eclipse-default img-responsive hidden-xs" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-426x100.png"></a></div></div><div class="col-sm-10 col-md-8 col-lg-5 hidden-print hidden-xs pull-right" id="header-right"><div id="btn-call-for-action"><a href="https://www.eclipse.org/donate/" class="btn btn-huge btn-info"><i class="fa fa-star"></i> Donate</a></div></div><div class="col-sm-14 col-md-16 col-lg-19 reset" id="main-menu-wrapper"><div class="navbar yamm" id="main-menu"><div id="navbar-collapse-1" class="navbar-collapse collapse"><ul class="nav navbar-nav"><li class="visible-thin"><a href="https://www.eclipse.org/downloads/" target="_self">Download</a></li><li><a href="https://www.eclipse.org/users/" target="_self">Getting Started</a></li><li><a href="https://www.eclipse.org/membership/" target="_self">Members</a></li><li><a href="https://www.eclipse.org/projects/" target="_self">Projects</a></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Community <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Participate <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul></li><li class="dropdown visible-xs"><a href="#" data-toggle="dropdown" class="dropdown-toggle">Working Groups <b class="caret"></b></a><ul class="dropdown-menu"><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></li><li class="dropdown eclipse-more hidden-xs"><a data-toggle="dropdown" class="dropdown-toggle">More<b class="caret"></b></a><ul class="dropdown-menu"><li><div class="yamm-content"><div class="row"><ul class="col-sm-8 list-unstyled"><li><p><strong>Community</strong></p></li><li><a href="http://marketplace.eclipse.org">Marketplace</a></li><li><a href="http://events.eclipse.org">Events</a></li><li><a href="http://www.planeteclipse.org/">Planet Eclipse</a></li><li><a href="https://www.eclipse.org/community/eclipse_newsletter/">Newsletter</a></li><li><a href="https://www.youtube.com/user/EclipseFdn">Videos</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Participate</strong></p></li><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://wiki.eclipse.org/">Wiki</a></li><li><a href="https://wiki.eclipse.org/IRC">IRC</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li></ul><ul class="col-sm-8 list-unstyled"><li><p><strong>Working Groups</strong></p></li><li><a href="http://wiki.eclipse.org/Auto_IWG">Automotive</a></li><li><a href="http://iot.eclipse.org">Internet of Things</a></li><li><a href="http://locationtech.org">LocationTech</a></li><li><a href="http://lts.eclipse.org">Long-Term Support</a></li><li><a href="http://polarsys.org">PolarSys</a></li><li><a href="http://science.eclipse.org">Science</a></li><li><a href="http://www.openmdm.org">OpenMDM</a></li></ul></div></div></li></ul></li></ul></div><div class="navbar-header"><button type="button" class="navbar-toggle" data-toggle="collapse" data-target="#navbar-collapse-1"><span class="sr-only">Toggle navigation</span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span><span class="icon-bar"></span></button><div class="wrapper-logo-mobile"><a class="navbar-brand visible-xs" href="https://www.eclipse.org/"><img class="logo-eclipse-default-mobile img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-800x188.png"></a></div></div></div></div></div></div></header><section class="hidden-print default-breadcrumbs" id="breadcrumb"><div class="container"><h3 class="sr-only">Breadcrumbs</h3><div class="col-xs-24"><ol class="breadcrumb"><li><a href="https://www.eclipse.org/">Home</a></li><li><a href="https://www.eclipse.org/projects/">Projects</a></li><li><a href="https://www.eclipse.org/jetty">jetty</a></li></ol></div></div></section><main class="no-promo"><div class="novaContent container" id="novaContent"><aside id="leftcol" class="col-md-4"><ul id="leftnav" class="ul-left-nav fa-ul hidden-print"><li class="separator"><a class="separator" href="/jetty/index.html">Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/about.html" target="_self">About Eclipse Jetty</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/powered" target="_self">Jetty Powered</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/licenses.html" target="_self">Licenses</a></li><li class="separator">Resources</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/download.html" target="_self">Downloads</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation" target="_self">Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/javadoc" target="_self">API Documentation</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/security-reports.html" target="_self">Security Reports</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/jetty-maven-plugin.html" target="_self">Maven Plugin</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/mailinglists.html" target="_self">Mailing Lists</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://webtide.com/blogs" target="_self">Blogs</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A31" target="_self">Eclipse Tooling</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/tools.html" target="_self">Tools</a></li><li class="separator">Project Management</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/advanced-contributing.html#community" target="_self">Community</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="/jetty/documentation/current/contributing-patches.html" target="_self">Contributing</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://www.eclipse.org/projects/ip_log.php?projectid=rt.jetty" target="_self">IP Log</a></li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://github.com/eclipse/jetty.project" target="_self">Source</a></li><li class="separator">Professional Services</li><li><i class="fa fa-angle-double-right orange fa-fw"></i><a href="http://marketplace.eclipse.org/search/site/jetty?f[0]=im_taxonomy_vocabulary_3%3A34" target="_self">Training and Consulting</a></li></ul></aside><div id="maincontent"><div id="midcolumn"><center><img src="/jetty/images/jetty-logo-80x22.png"></center><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reporting"></a>Reporting Security Issues</h2></div></div></div><p>There are a number of avenues for reporting security issues to the Jetty project available. |
| If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged. |
| The most direct method is to mail <span class="emphasis"><em>security@webtide.com</em></span>. |
| Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method. |
| We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.</p><p>If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to <span class="emphasis"><em>security@eclipse.org</em></span>.</p><p>If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.</p><p>We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as <span class="emphasis"><em>private</em></span>.</p></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-reports"></a>Jetty Security Reports</h2></div></div></div><p>The following sections provide information about Jetty security issues.</p><div class="table"><a name="d31e33"></a><p class="title"><b></b></p><div class="table-contents"><table class="table" summary="Resolved Issues" border="1" width="99%"><colgroup><col class="col_1"><col class="col_2"><col class="col_3"><col class="col_4"><col class="col_5"><col class="col_6"><col class="col_7"></colgroup><thead><tr><th align="left" valign="top">yyyy/mm/dd</th><th align="left" valign="top">ID</th><th align="left" valign="top">Exploitable</th><th align="left" valign="top">Severity</th><th align="left" valign="top">Affects</th><th align="left" valign="top">Fixed Version</th><th align="left" valign="top">Comment</th></tr></thead><tbody><tr><td align="left" valign="top"><p>2019/11/25</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>>= 9.4.21, < = 9.4.23</p></td><td align="left" valign="top"><p>9.4.24</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632" target="_top">The generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9518</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518" target="_top">Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9516</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516" target="_top">Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9515</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515" target="_top">Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9514</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514" target="_top">Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9512</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512" target="_top">Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/08/13</p></td><td align="left" valign="top"><p>CVE-2019-9511</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>Low</p></td><td align="left" valign="top"><p>< = 9.4.20</p></td><td align="left" valign="top"><p>9.4.21</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511" target="_top">Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10247</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>Med</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10247" target="_top">If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10246</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.16</p></td><td align="left" valign="top"><p>9.2.28, 9.3.27, 9.4.17</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.</a></p></td></tr><tr><td align="left" valign="top"><p>2019/04/11</p></td><td align="left" valign="top"><p>CVE-2019-10241</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>< = 9.4.15</p></td><td align="left" valign="top"><p>9.2.27, 9.3.26, 9.4.16</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241" target="_top">Use of <code class="literal">DefaultServlet</code> or <code class="literal">ResourceHandler</code> with indexing was vulnerable to XSS behaviors to expose the directory listing.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12538</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>>= 9.4.0, < = 9.4.8</p></td><td align="left" valign="top"><p>9.4.9</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12538" target="_top"><code class="literal">HttpSessions</code> present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2018-12536</p></td><td align="left" valign="top"><p>High</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/209.html" target="_top">CWE-202</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12536" target="_top"><code class="literal">InvalidPathException</code> Message reveals webapp system path.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7658</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7658" target="_top">Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7657</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7657" target="_top">HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).</a></p></td></tr><tr><td align="left" valign="top"><p>2018/06/25</p></td><td align="left" valign="top"><p>CVE-2017-7656</p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>See <a class="link" href="https://cwe.mitre.org/data/definitions/444.html" target="_top">CWE-444</a></p></td><td align="left" valign="top"><p>< = 9.4.10</p></td><td align="left" valign="top"><p>9.2.25, 9.3.24, 9.4.11</p></td><td align="left" valign="top"><p><a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7656" target="_top">HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).</a></p></td></tr><tr><td align="left" valign="top"><p>2016/05/31</p></td><td align="left" valign="top"><p>CVE-2016-4800</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>= 9.3.0, < = 9.3.8</p></td><td align="left" valign="top"><p>9.3.9</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2016-001.html" target="_top">Alias vulnerability allowing access to protected resources within a webapp on Windows.</a></p></td></tr><tr><td align="left" valign="top"><p>2015/02/24</p></td><td align="left" valign="top"><p><a class="link" href="http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html" target="_top">CVE-2015-2080</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.2.3 <9.2.9</p></td><td align="left" valign="top"><p>9.2.9</p></td><td align="left" valign="top"><p>JetLeak exposure of past buffers during HttpParser error</p></td></tr><tr><td align="left" valign="top"><p>2013/11/27</p></td><td align="left" valign="top"><p><a class="link" href="http://en.securitylab.ru/lab/PT-2013-65" target="_top">PT-2013-65</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>>=9.0.0 <9.0.5</p></td><td align="left" valign="top"><p>9.0.6 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014" target="_top">418014</a></p></td><td align="left" valign="top"><p>Alias checking disabled by NTFS errors on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2013/07/24</p></td><td align="left" valign="top"><p><a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>>=7.6.9 <9.0.5</p></td><td align="left" valign="top"><p>7.6.13,8.1.13,9.0.5 |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684" target="_top">413684</a></p></td><td align="left" valign="top"><p>Constraints bypassed if Unix symlink alias checker used on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2011/12/29</p></td><td align="left" valign="top"><p><a class="link" href="http://www.ocert.org/advisories/ocert-2011-003.html" target="_top">CERT2011-003</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461" target="_top">CVE-2011-4461</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>All versions</p></td><td align="left" valign="top"><p>7.6.0.RCO |
| <a class="link" href="https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638" target="_top">Jetty-367638</a></p></td><td align="left" valign="top"><p>Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).</p></td></tr><tr><td align="left" valign="top"><p>2009/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/120541" target="_top">CERT2011-003</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555" target="_top">CERT2011-003</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>JVM<1.6u19</p></td><td align="left" valign="top"><p>jetty-7.01.v20091125, jetty-6.1.22</p></td><td align="left" valign="top"><p>Work |
| around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 |
| setAllowRenegotiate(true) may be called on connectors.</p></td></tr><tr><td align="left" valign="top"><p>2009/06/18</p></td><td align="left" valign="top"><p>Jetty-1042</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.18, < = 7.0.0.M4</p></td><td align="left" valign="top"><p>6.1.19, 7.0.0.Rc0</p></td><td align="left" valign="top"><p>Cookie leak between |
| requests sharing a connection.</p></td></tr><tr><td align="left" valign="top"><p>2009/04/30</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/402580" target="_top">CERT402580</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>< = 6.1.16, < = 7.0.0.M2</p></td><td align="left" valign="top"><p>5.1.15, 6.1.18, 7.0.0.M2</p> |
| <p>Jetty-1004</p></td><td align="left" valign="top"><p>View arbitrary disk content in some specific configurations.</p></td></tr><tr><td align="left" valign="top"><p>2007/12/22</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/553235" target="_top">CERT553235</a> <a class="link" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672" target="_top">CVE-2007-6672</a></p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>6.1.rrc0-6.1.6</p></td><td align="left" valign="top"><p>6.1.7</p> |
| <p>CERT553235</p></td><td align="left" valign="top"><p>Static content visible in WEB-INF and past security constraints.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/438616" target="_top">CERT438616</a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614" target="_top">CVE-2007-5614</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc1 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>Single quote in |
| cookie name.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/05</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/237888" target="_top">CERT237888></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613" target="_top">CVE-2007-5613</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>XSS in demo dup |
| servlet.</p></td></tr><tr><td align="left" valign="top"><p>2007/11/03</p></td><td align="left" valign="top"><p><a class="link" href="http://www.kb.cert.org/vuls/id/212984" target="_top">CERT212984 |
| ></a> <a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615" target="_top">CVE-2007-5615</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.1.6</p></td><td align="left" valign="top"><p>6.1.6rc0 (patch in CVS for jetty5)</p></td><td align="left" valign="top"><p>CRLF |
| Response splitting.</p></td></tr><tr><td align="left" valign="top"><p>2006/11/22</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969" target="_top">CVE-2006-6969</a></p></td><td align="left" valign="top"><p>low</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><6.1.0, <6.0.2, <5.1.12, <4.2.27</p></td><td align="left" valign="top"><p>6.1.0pre3, 6.0.2, 5.1.12, |
| 4.2.27</p></td><td align="left" valign="top"><p>Session ID predictability.</p></td></tr><tr><td align="left" valign="top"><p>2006/06/01</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759" target="_top">CVE-2006-2759</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><6.0.*, <6.0.0Beta17</p></td><td align="left" valign="top"><p>6.0.0Beta17</p></td><td align="left" valign="top"><p>JSP source |
| visibility.</p></td></tr><tr><td align="left" valign="top"><p>2006/01/05</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.10</p></td><td align="left" valign="top"><p>5.1.10</p></td><td align="left" valign="top"><p>Fixed //security |
| constraint bypass on Windows.</p></td></tr><tr><td align="left" valign="top"><p>2005/11/18</p></td><td align="left" valign="top"><p><a class="link" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758" target="_top">CVE-2006-2758</a></p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><5.1.6</p></td><td align="left" valign="top"><p>5.1.6, 6.0.0Beta4</p></td><td align="left" valign="top"><p>JSP source visibility.</p></td></tr><tr><td align="left" valign="top"><p>2004/02/04</p></td><td align="left" valign="top"><p>JSSE 1.0.3_01</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"><p><4.2.7</p></td><td align="left" valign="top"><p>4.2.7</p></td><td align="left" valign="top"><p>Upgraded JSSE |
| to obtain downstream security fix.</p></td></tr><tr><td align="left" valign="top"><p>2002/09/22</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><4.1.0</p></td><td align="left" valign="top"><p>4.1.0</p></td><td align="left" valign="top"><p>Fixed CGI servlet remove |
| exploit.</p></td></tr><tr><td align="left" valign="top"><p>2002/03/12</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p><3.1.7</p></td><td align="left" valign="top"><p>4.0.RC2, 3.1.7</p></td><td align="left" valign="top"><p>Fixed // security |
| constraint bypass.</p></td></tr><tr><td align="left" valign="top"><p>2001/10/21</p></td><td align="left" valign="top"><p>medium</p></td><td align="left" valign="top"> </td><td align="left" valign="top"><p>high</p></td><td align="left" valign="top"><p><3.1.3</p></td><td align="left" valign="top"><p>3.1.3</p></td><td align="left" valign="top"><p>Fixed trailing null security |
| constraint bypass.</p></td></tr></tbody></table></div></div><br class="table-break"></div></div></div><div id="rightcolumn"><div class="sideitem"><h6>Quick Links</h6><ul><li><a href="http://www.eclipse.org/projects/project_summary.php?projectid=rt.jetty" target="_self">Project Summary</a></li><li><a href="/jetty/download.html" target="_self">Download</a></li><li><a href="/jetty/documentation/current" target="_self">Current Documentation</a></li><li><a href="/jetty/javadoc/current" target="_self">Current API Documentation</a></li><li><a href="https://github.com/eclipse/jetty.project/issues/new" target="_self">Enter Bug</a></li><li><a href="https://github.com/eclipse/jetty.project/issues" target="_self">Reported Bugs</a></li></ul></div><div class="sideitem"><h6>Active Contributors</h6><div style="position: relative; height: 50px;"><a href="http://www.webtide.com/" target="_blank" title=""><img alt="" src="https://www.eclipse.org/jetty/images/webtide-dark.png" style="position: absolute; left: 10px; top: 10px; width: 150px; height: auto;"></a></div></div></div></div></main><footer role="contentinfo" id="solstice-footer"><div class="container"><div class="row"><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-eclipse-foundation"><h2 class="section-title">Eclipse Foundation</h2><ul class="nav"><li><a href="https://www.eclipse.org/org/">About us</a></li><li><a href="https://www.eclipse.org/org/foundation/contact.php">Contact Us</a></li><li><a href="https://www.eclipse.org/donate">Donate</a></li><li><a href="https://www.eclipse.org/org/documents/">Governance</a></li><li><a href="https://www.eclipse.org/artwork/">Logo and Artwork</a></li><li><a href="https://www.eclipse.org/org/foundation/directors.php">Board of Directors</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-legal"><h2 class="section-title">Legal</h2><ul class="nav"><li><a href="https://www.eclipse.org/legal/privacy.php">Privacy Policy</a></li><li><a href="https://www.eclipse.org/legal/termsofuse.php">Terms of Use</a></li><li><a href="https://www.eclipse.org/legal/copyright.php">Copyright Agent</a></li><li><a href="https://www.eclipse.org/org/documents/epl-v10.php">Eclipse Public License </a></li><li><a href="https://www.eclipse.org/legal/">Legal Resources </a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-useful-links"><h2 class="section-title">Useful Links</h2><ul class="nav"><li><a href="https://bugs.eclipse.org/bugs/">Report a Bug</a></li><li><a href="//help.eclipse.org/">Documentation</a></li><li><a href="https://www.eclipse.org/contribute/">How to Contribute</a></li><li><a href="https://www.eclipse.org/mail/">Mailing Lists</a></li><li><a href="https://www.eclipse.org/forums/">Forums</a></li><li><a href="//marketplace.eclipse.org">Marketplace</a></li></ul></section><section class="col-sm-offset-1 col-xs-11 col-sm-7 col-md-6 col-md-offset-0 hidden-print" id="footer-other"><h2 class="section-title">Other</h2><ul class="nav"><li><a href="https://www.eclipse.org/ide/">IDE and Tools</a></li><li><a href="https://www.eclipse.org/projects">Community of Projects</a></li><li><a href="https://www.eclipse.org/org/workinggroups/">Working Groups</a></li></ul><ul class="list-inline social-media"><li><a href="https://twitter.com/EclipseFdn"><i class="fa fa-twitter-square"></i></a></li><li><a href="https://plus.google.com/+Eclipse"><i class="fa fa-google-plus-square"></i></a></li><li><a href="https://www.facebook.com/eclipse.org"><i class="fa fa-facebook-square"></i></a></li><li><a href="https://www.youtube.com/user/EclipseFdn"><i class="fa fa-youtube-square"></i></a></li></ul></section><div id="copyright" class="col-sm-offset-1 col-sm-14 col-md-24 col-md-offset-0"><span class="hidden-print"><div class="wrapper-logo-eclipse-white"><a href="https://www.eclipse.org"><img class="logo-eclipse-white img-responsive" alt="logo" src="https://www.eclipse.org/eclipse.org-common/themes/solstice/public/images/logo/eclipse-logo-bw-332x78.png"></a></div></span><p id="copyright-text">Copyright © 2016 The Eclipse Foundation. All Rights Reserved.</p></div><a href="#" class="scrollup">Back to the top</a></div></div></footer></body></html> |