org.eclipse.jetty:jetty-util@9.3.5.v20151012 vulnerabilities

latest version

12.0.8
latest non vulnerable version

12.0.8
first published

15 years ago
latest version published

a month ago
licenses detected
- (Apache-2.0 OR EPL-1.0)
  [7.0.0.M0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.eclipse.jetty:jetty-util package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.eclipse.jetty:jetty-util is a Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when a remote client uses a specially formatted URL against the `DefaultServlet` or `ResourceHandler` that is configured for showing a listing of directory contents. How to fix Cross-site Scripting (XSS)? Upgrade `org.eclipse.jetty:jetty-util` to version 9.2.27.v20190403, 9.3.26.v20190403, 9.4.16.v20190411 or higher.	[9.2.0.M0,9.2.27.v20190403) [9.3.0.M0,9.3.26.v20190403) [9.4.15.v20190215,9.4.16.v20190411)
M Information Exposure org.eclipse.jetty:jetty-util is a Web Container & Clients - supports HTTP/2, HTTP/1.1, HTTP/1.0, websocket, servlets, and more. Affected versions of this package are vulnerable to Information Exposure. When an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a `java.nio.file.InvalidPathException` which includes the full path to the base resource directory that the `DefaultServlet and/or` webapp is using. If this `InvalidPathException` is then handled by the default Error Handler, the `InvalidPathException` message is included in the error response, revealing the full server path to the requesting system. How to fix Information Exposure? Upgrade `org.eclipse.jetty:jetty-util` to version 9.3.24.v20180605, 9.4.11.v20180605 or higher.	[9.3.0.RC0,9.3.24.v20180605) [9.4.0.M0,9.4.11.v20180605)
H Timing Attack org.eclipse.jetty:jetty-util is a lightweight highly scalable java based web server and servlet engine. Affected versions of this package are vulnerable to Timing Attacks. A flaw in the `util/security/Password.java` class makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords. How to fix Timing Attack? Upgrade `org.eclipse.jetty:jetty-util` to versions 9.2.22, 9.3.20, 9.4.6 or higher.	[,9.2.22.v20170606) [9.3.0.M0,9.3.20.v20170531) [9.4.0.M0,9.4.6.v20170531)
C Information Exposure `org.eclipse.jetty:jetty-util` Affected versions of the package are vulnerable to Information Exposure. The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.	[9.3.0.M0,9.3.9.v20160517)

Go back to all versions of this package

org.eclipse.jetty:jetty-util@9.3.5.v20151012 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities