org.eclipse.jetty:jetty-server@9.4.8.v20171121 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-server package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51) [10.0.0,10.0.14) [11.0.0,11.0.14) [12.0.0alpha0,12.0.0.beta0)
  • M
Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.

Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

[,9.4.51) [10.0.0,10.0.14) [11.0.0,11.0.14) [12.0.0.alpha0,12.0.0.beta0)
  • L
Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. If an exception is thrown by the SessionListener#sessionDestroyed() method, the session ID will not be validated in the manager, which may allow the application to be left logged in on a shared computer.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 11.0.3, 10.0.3, 9.4.41 or higher.

[11.0.0,11.0.3) [10.0.0,10.0.3) [,9.4.41)
  • M
Denial of Service (DoS)

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). When Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

How to fix Denial of Service (DoS)?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.37.v20210219, 10.0.1, 11.0.1 or higher.

[9.4.6.v20170531,9.4.37.v20210219) [10.0.0,10.0.1) [11.0.0,11.0.1)
  • M
HTTP Request Smuggling

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

How to fix HTTP Request Smuggling?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3 or higher.

[9.4.0.RC0,9.4.35.v20201120) [10.0.0.alpha0,10.0.0.beta3) [11.0.0.alpha0,11.0.0.beta3)
  • M
Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. The configuration of a Jetty server may be leaked as part of a HTTP 404 response. This is due to the DefaultHandler class producing an error page during an exception.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 9.2.28.v20190418, 9.3.27.v20190418, 9.4.17.v20190418 or higher.

[7.0.0.M0,9.2.28.v20190418) [9.3.0.M0,9.3.27.v20190418) [9.4.0.M0,9.4.17.v20190418)
  • H
Web Cache Poisoning

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Web Cache Poisoning. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version, the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

How to fix Web Cache Poisoning?

Upgrade org.eclipse.jetty:jetty-server to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

[,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
  • C
Authorization Bypass

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Authorization Bypass. When it presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

How to fix Authorization Bypass?

Upgrade org.eclipse.jetty:jetty-server to versions 9.2.25, 9.3.24, 9.4.11 or higher.

(8.2.0.v20160908,9.2.25.v20180606) [9.3.0.M0,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
  • M
Information Exposure

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. When an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

How to fix Information Exposure?

Upgrade org.eclipse.jetty:jetty-server to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.

[9.3.0.RC0,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
  • H
Session Hijacking

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Session Hijacking. Affected versions of this package are vulnerable to Session Hijacking. When using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.

How to fix Session Hijacking?

Upgrade org.eclipse.jetty:jetty-server to version 9.4.9.v20180320 or higher.

[9.4.0.RC0,9.4.9.v20180320)