org.eclipse.jetty:jetty-server@10.0.5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51) [10.0.0,10.0.14) [11.0.0,11.0.14) [12.0.0alpha0,12.0.0.beta0)
  • M
Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.

Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51) [10.0.0,10.0.14) [11.0.0,11.0.14) [12.0.0.alpha0,12.0.0.beta0)
  • H
Improper Resource Shutdown or Release

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release when SslConnection does not release pooled ByteBuffers in case of errors, results in a memory leak.

How to fix Improper Resource Shutdown or Release?

Upgrade org.eclipse.jetty:jetty-server to version 10.0.10, 11.0.10 or higher.

[10.0.0,10.0.10) [11.0.0,11.0.10)