org.eclipse.jetty:jetty-server@11.0.11 vulnerabilities

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

1. This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;

2. The Jetty usage of the HttpURI class is not vulnerable.

Upgrade org.eclipse.jetty:jetty-server to version 12.0.12 or higher.

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.

Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.