org.eclipse.jetty:jetty-server 9.4.28.v20200408 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-server package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Denial of Service (DoS) org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `ThreadLimitHandler.getRemote()` method. An attacker can exhaust the server's memory and trigger `OutofMemory` errors by repeatedly sending crafted requests. How to fix Denial of Service (DoS)? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.	[9.3.12,9.4.56)[10.0.0,10.0.24)[11.0.0,11.0.24)[12.0.0,12.0.9)
M Improper Validation of Syntactic Correctness of Input org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the `HttpURI` class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks. Notes: This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the `HttpURI` class used directly; The Jetty usage of the `HttpURI` class is not vulnerable. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.57.v20241219, 12.0.12 or higher.	[,9.4.57.v20241219)[10.0.0,12.0.12)
L Information Exposure org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass. Note: A cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. How to fix Information Exposure? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.	[,9.4.51)[10.0.0,10.0.14)[11.0.0,11.0.14)[12.0.0alpha0,12.0.0.beta0)
M Denial of Service (DoS) org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. Note: This happens even with the default settings of `fileSizeThreshold=0`, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. How to fix Denial of Service (DoS)? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.	[,9.4.51)[10.0.0,10.0.14)[11.0.0,11.0.14)[12.0.0.alpha0,12.0.0.beta0)
L Information Exposure org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Information Exposure. If an exception is thrown by the `SessionListener#sessionDestroyed()` method, the session ID will not be validated in the manager, which may allow the application to be left logged in on a shared computer. How to fix Information Exposure? Upgrade `org.eclipse.jetty:jetty-server` to version 11.0.3, 10.0.3, 9.4.41 or higher.	[11.0.0,11.0.3)[10.0.0,10.0.3)[,9.4.41)
M Denial of Service (DoS) org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Denial of Service (DoS). When Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values. How to fix Denial of Service (DoS)? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.37.v20210219, 10.0.1, 11.0.1 or higher.	[9.4.6.v20170531,9.4.37.v20210219)[10.0.0,10.0.1)[11.0.0,11.0.1)
M HTTP Request Smuggling org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request. How to fix HTTP Request Smuggling? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3 or higher.	[9.4.0.RC0,9.4.35.v20201120)[10.0.0.alpha0,10.0.0.beta3)[11.0.0.alpha0,11.0.0.beta3)
H Operation on a Resource after Expiration or Release org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release. In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). How to fix Operation on a Resource after Expiration or Release? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.30.v20200611 or higher.	[9.4.27.v20200227,9.4.30.v20200611)

Vulnerability

Vulnerable Version

Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

[9.3.12,9.4.56)[10.0.0,10.0.24)[11.0.0,11.0.24)[12.0.0,12.0.9)

Improper Validation of Syntactic Correctness of Input

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;
The Jetty usage of the HttpURI class is not vulnerable.

How to fix Improper Validation of Syntactic Correctness of Input?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.57.v20241219, 12.0.12 or higher.

[,9.4.57.v20241219)[10.0.0,12.0.12)

Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51)[10.0.0,10.0.14)[11.0.0,11.0.14)[12.0.0alpha0,12.0.0.beta0)

Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.

Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51)[10.0.0,10.0.14)[11.0.0,11.0.14)[12.0.0.alpha0,12.0.0.beta0)

Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. If an exception is thrown by the SessionListener#sessionDestroyed() method, the session ID will not be validated in the manager, which may allow the application to be left logged in on a shared computer.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 11.0.3, 10.0.3, 9.4.41 or higher.

[11.0.0,11.0.3)[10.0.0,10.0.3)[,9.4.41)

Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). When Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.37.v20210219, 10.0.1, 11.0.1 or higher.

[9.4.6.v20170531,9.4.37.v20210219)[10.0.0,10.0.1)[11.0.0,11.0.1)

HTTP Request Smuggling

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

How to fix HTTP Request Smuggling?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3 or higher.

[9.4.0.RC0,9.4.35.v20201120)[10.0.0.alpha0,10.0.0.beta3)[11.0.0.alpha0,11.0.0.beta3)

Operation on a Resource after Expiration or Release

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release. In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with response2 data. Thread1 then proceeds to write the buffer that now contains response2 data. This results in client1, which issued request1 and expects responses, to see response2 which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.).

How to fix Operation on a Resource after Expiration or Release?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.30.v20200611 or higher.

[9.4.27.v20200227,9.4.30.v20200611)

org.eclipse.jetty:jetty-server@9.4.28.v20200408 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?