org.eclipse.jetty:jetty-server 9.4.53.v20231009 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-server package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Improper Resource Shutdown or Release org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to an error in handling gzip compression in the `GzipHandler`. An attacker can corrupt data and inadvertently share it between requests by exploiting the improper release of a buffer when a gzip error occurs during the inflation of a request body. How to fix Improper Resource Shutdown or Release? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.57.v20241219 or higher.	[9.4.0.M0,9.4.57.v20241219)
H Denial of Service (DoS) org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Denial of Service (DoS) via the `ThreadLimitHandler.getRemote()` method. An attacker can exhaust the server's memory and trigger `OutofMemory` errors by repeatedly sending crafted requests. How to fix Denial of Service (DoS)? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.	[9.3.12,9.4.56)[10.0.0,10.0.24)[11.0.0,11.0.24)[12.0.0,12.0.9)
M Improper Validation of Syntactic Correctness of Input org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the `HttpURI` class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks. Notes: This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the `HttpURI` class used directly; The Jetty usage of the `HttpURI` class is not vulnerable. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `org.eclipse.jetty:jetty-server` to version 9.4.57.v20241219, 12.0.12 or higher.	[,9.4.57.v20241219)[10.0.0,12.0.12)

Vulnerability

Vulnerable Version

Improper Resource Shutdown or Release

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to an error in handling gzip compression in the GzipHandler. An attacker can corrupt data and inadvertently share it between requests by exploiting the improper release of a buffer when a gzip error occurs during the inflation of a request body.

How to fix Improper Resource Shutdown or Release?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.57.v20241219 or higher.

[9.4.0.M0,9.4.57.v20241219)

Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

[9.3.12,9.4.56)[10.0.0,10.0.24)[11.0.0,11.0.24)[12.0.0,12.0.9)

Improper Validation of Syntactic Correctness of Input

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;
The Jetty usage of the HttpURI class is not vulnerable.

How to fix Improper Validation of Syntactic Correctness of Input?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.57.v20241219, 12.0.12 or higher.

[,9.4.57.v20241219)[10.0.0,12.0.12)

org.eclipse.jetty:jetty-server@9.4.53.v20231009 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?