org.eclipse.jetty:jetty-server@11.0.18 vulnerabilities

latest version

12.0.14
latest non vulnerable version

12.0.14
first published

16 years ago
latest version published

a month ago
licenses detected
- (Apache-2.0 OR EPL-1.0)
  [7.0.0.M0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Denial of Service (DoS) org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `ThreadLimitHandler.getRemote()` method. An attacker can exhaust the server's memory and trigger `OutofMemory` errors by repeatedly sending crafted requests. How to fix Denial of Service (DoS)? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.	[9.3.12,9.4.56) [10.0.0,10.0.24) [11.0.0,11.0.24) [12.0.0,12.0.9)
M Improper Validation of Syntactic Correctness of Input org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the `HttpURI` class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks. Notes: This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the `HttpURI` class used directly; The Jetty usage of the `HttpURI` class is not vulnerable. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `org.eclipse.jetty:jetty-server` to version 12.0.12 or higher.	[,12.0.12)

Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

[9.3.12,9.4.56) [10.0.0,10.0.24) [11.0.0,11.0.24) [12.0.0,12.0.9)

Improper Validation of Syntactic Correctness of Input

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;
The Jetty usage of the HttpURI class is not vulnerable.

How to fix Improper Validation of Syntactic Correctness of Input?

Upgrade org.eclipse.jetty:jetty-server to version 12.0.12 or higher.

[,12.0.12)

Go back to all versions of this package

org.eclipse.jetty:jetty-server@11.0.18 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities