Search CVE reports
1 – 10 of 60 results
In Eclipse Jetty, an HTTP URI of this form: /public;/../admin/secret.txt results in an unresolved path of: /public/../admin/secret.txt instead of the expected: /admin/secret.txt Jetty itself is not affected, as it will not serve...
2 affected packages
jetty12, jetty9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
In Eclipse Jetty, for HTTP/1, HTTP/2 and HTTP/3 requests, there is no strict check that the request authority (host and port) matches what provided in the Host header (if present). This was not enforced in earlier HTTP RFC (for...
2 affected packages
jetty12, jetty9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
In Eclipse Jetty, a first HTTP/1.1 request with trailers causes the server to retain the trailers in subsequent requests performed over the same connection. Subsequent request that do not have trailers report the trailers of...
2 affected packages
jetty12, jetty9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
For requests that have a body, but reading the body may end up in reading 0 bytes, there is a buffer leak. This is particularly the case for 100-Continue, but any request where the network is slow can leak.
2 affected packages
jetty12, jetty9
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chunks" techniques outlined here: * https://w4ke.info/2025/06/18/funky-chunks.html * ...
2 affected packages
jetty9, jetty12
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the...
2 affected packages
jetty9, jetty
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty | Not in release | Not in release | Not in release | — | — |
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with Content-Encoding: gzip, is processed and the corresponding response is...
2 affected packages
jetty9, jetty12
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. For example...
2 affected packages
jetty9, jetty12
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty12 | Needs evaluation | Not in release | Not in release | — | — |
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are malformed or that should not be sent...
2 affected packages
jetty9, jetty
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty | Not in release | Not in release | Not in release | — | — |
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. The Jetty HTTP/2 server does not perform validation on this...
3 affected packages
jetty9, jetty, jetty12
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jetty9 | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation | Needs evaluation |
| jetty | Not in release | Not in release | Not in release | — | — |
| jetty12 | Not affected | Not in release | Not in release | — | — |