Version: 9.4.5.v20170502 |
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services for sponsored feature development
The following sections provide information about Jetty security issues.
If you would like to report a security issue please follow these instructions.
Table 33.1. Resolved Issues
yyyy/mm/dd | ID | Exploitable | Severity | Affects | Fixed Version | Comment |
---|---|---|---|---|---|---|
2016/05/31 | CVE-2016-4800 | high | high | >= 9.3.0, < = 9.3.8 | 9.3.9 | Alias vulnerability allowing access to protected resources within a webapp on Windows. |
2015/02/24 | CVE-2015-2080 | high | high | >=9.2.3 <9.2.9 | 9.2.9 | |
2013/11/27 | medium | high | >=9.0.0 <9.0.5 | 9.0.6 418014 | Alias checking disabled by NTFS errors on Windows. | |
2013/07/24 | low | medium | >=7.6.9 <9.0.5 | 7.6.13,8.1.13,9.0.5 413684 | Constraints bypassed if Unix symlink alias checker used on Windows. | |
2011/12/29 | high | medium | All versions | 7.6.0.RCO Jetty-367638 | Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000). | |
2009/11/05 | medium | high | JVM<1.6u19 | jetty-7.01.v20091125, jetty-6.1.22 | Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors. | |
2009/06/18 | low | high | < = 6.1.18, < = 7.0.0.M4 | 6.1.19, 7.0.0.Rc0 | Cookie leak between requests sharing a connection. | |
2009/04/30 | medium | high | < = 6.1.16, < = 7.0.0.M2 | 5.1.15, 6.1.18, 7.0.0.M2 | View arbitrary disk content in some specific configurations. | |
2007/12/22 | high | medium | 6.1.rrc0-6.1.6 | 6.1.7 | Static content visible in WEB-INF and past security constraints. | |
2007/11/05 | low | low | <6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) | Single quote in cookie name. | |
2007/11/05 | low | low | <6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) | XSS in demo dup servlet. | |
2007/11/03 | medium | medium | <6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) | CRLF Response splitting. | |
2006/11/22 | low | high | <6.1.0, <6.0.2, <5.1.12, <4.2.27 | 6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 | Session ID predictability. | |
2006/06/01 | medium | medium | <6.0.*, <6.0.0Beta17 | 6.0.0Beta17 | JSP source visibility. | |
2006/01/05 | medium | medium | <5.1.10 | 5.1.10 | Fixed //security constraint bypass on Windows. | |
2005/11/18 | medium | medium | <5.1.6 | 5.1.6, 6.0.0Beta4 | JSP source visibility. | |
2004/02/04 | JSSE 1.0.3_01 | medium | medium | <4.2.7 | 4.2.7 | Upgraded JSSE to obtain downstream security fix. |
2002/09/22 | high | high | <4.1.0 | 4.1.0 | Fixed CGI servlet remove exploit. | |
2002/03/12 | medium | <3.1.7 | 4.0.RC2, 3.1.7 | Fixed // security constraint bypass. | ||
2001/10/21 | medium | high | <3.1.3 | 3.1.3 | Fixed trailing null security constraint bypass. |