org.eclipse.jetty:jetty-util 7.0.0.M0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-util package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Directory Traversal org.eclipse.jetty:jetty-util is a Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more. Affected versions of this package are vulnerable to Directory Traversal. This issue allows remote attackers to access arbitrary files via directory traversal sequences in the URI. Note: In order for a system to be vulnerable, it must either be using the `DefaultServlet` with support for aliases explicitly enabled or the `ResourceHandler` class to serve static content. How to fix Directory Traversal? Upgrade `org.eclipse.jetty:jetty-util` to version 7.0.0.M2 or higher.	[7.0.0.M0,7.0.0.M2)
H Timing Attack org.eclipse.jetty:jetty-util is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Timing Attacks. A flaw in the `util/security/Password.java` class makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. How to fix Timing Attack? Upgrade `org.eclipse.jetty:jetty-util` to versions 9.2.22, 9.3.20, 9.4.6 or higher.	[,9.2.22.v20170606)[9.3.0.M0,9.3.20.v20170531)[9.4.0.M0,9.4.6.v20170531)

Vulnerability

Vulnerable Version

Directory Traversal

org.eclipse.jetty:jetty-util is a Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more.

Affected versions of this package are vulnerable to Directory Traversal. This issue allows remote attackers to access arbitrary files via directory traversal sequences in the URI.

Note:

In order for a system to be vulnerable, it must either be using the DefaultServlet with support for aliases explicitly enabled or the ResourceHandler class to serve static content.

How to fix Directory Traversal?

Upgrade org.eclipse.jetty:jetty-util to version 7.0.0.M2 or higher.

[7.0.0.M0,7.0.0.M2)

Timing Attack

org.eclipse.jetty:jetty-util is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Timing Attacks. A flaw in the util/security/Password.java class makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

How to fix Timing Attack?

Upgrade org.eclipse.jetty:jetty-util to versions 9.2.22, 9.3.20, 9.4.6 or higher.

[,9.2.22.v20170606)[9.3.0.M0,9.3.20.v20170531)[9.4.0.M0,9.4.6.v20170531)

org.eclipse.jetty:jetty-util@7.0.0.M0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?