Jetty Logo
Version: 9.4.5.v20170502
Contact the core Jetty developers at www.webtide.com

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development

Jetty Security Reports

The following sections provide information about Jetty security issues.

If you would like to report a security issue please follow these instructions.

Table 33.1. Resolved Issues

yyyy/mm/ddIDExploitableSeverityAffectsFixed VersionComment

2016/05/31

CVE-2016-4800

high

high

>= 9.3.0, < = 9.3.8

9.3.9

Alias vulnerability allowing access to protected resources within a webapp on Windows.

2015/02/24

CVE-2015-2080

high

high

>=9.2.3 <9.2.9

9.2.9

JetLeak exposure of past buffers during HttpParser error

2013/11/27

PT-2013-65

medium

high

>=9.0.0 <9.0.5

9.0.6 418014

Alias checking disabled by NTFS errors on Windows.

2013/07/24

413684

low

medium

>=7.6.9 <9.0.5

7.6.13,8.1.13,9.0.5 413684

Constraints bypassed if Unix symlink alias checker used on Windows.

2011/12/29

CERT2011-003 CVE-2011-4461

high

medium

All versions

7.6.0.RCO Jetty-367638

Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).

2009/11/05

CERT2011-003 CERT2011-003

medium

high

JVM<1.6u19

jetty-7.01.v20091125, jetty-6.1.22

Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors.

2009/06/18

Jetty-1042

low

high

< = 6.1.18, < = 7.0.0.M4

6.1.19, 7.0.0.Rc0

Cookie leak between requests sharing a connection.

2009/04/30

CERT402580

medium

high

< = 6.1.16, < = 7.0.0.M2

5.1.15, 6.1.18, 7.0.0.M2

Jetty-1004

View arbitrary disk content in some specific configurations.

2007/12/22

CERT553235 CVE-2007-6672

high

medium

6.1.rrc0-6.1.6

6.1.7

CERT553235

Static content visible in WEB-INF and past security constraints.

2007/11/05

CERT438616 CVE-2007-5614

low

low

<6.1.6

6.1.6rc1 (patch in CVS for jetty5)

Single quote in cookie name.

2007/11/05

CERT237888> CVE-2007-5613

low

low

<6.1.6

6.1.6rc0 (patch in CVS for jetty5)

XSS in demo dup servlet.

2007/11/03

CERT212984 > CVE-2007-5615

medium

medium

<6.1.6

6.1.6rc0 (patch in CVS for jetty5)

CRLF Response splitting.

2006/11/22

CVE-2006-6969

low

high

<6.1.0, <6.0.2, <5.1.12, <4.2.27

6.1.0pre3, 6.0.2, 5.1.12, 4.2.27

Session ID predictability.

2006/06/01

CVE-2006-2759

medium

medium

<6.0.*, <6.0.0Beta17

6.0.0Beta17

JSP source visibility.

2006/01/05

 

medium

medium

<5.1.10

5.1.10

Fixed //security constraint bypass on Windows.

2005/11/18

CVE-2006-2758

medium

medium

<5.1.6

5.1.6, 6.0.0Beta4

JSP source visibility.

2004/02/04

JSSE 1.0.3_01

medium

medium

<4.2.7

4.2.7

Upgraded JSSE to obtain downstream security fix.

2002/09/22

 

high

high

<4.1.0

4.1.0

Fixed CGI servlet remove exploit.

2002/03/12

 

medium

 

<3.1.7

4.0.RC2, 3.1.7

Fixed // security constraint bypass.

2001/10/21

medium

 

high

<3.1.3

3.1.3

Fixed trailing null security constraint bypass.


See an error or something missing? Contribute to this documentation at Github!(Generated: 2017-05-02)