Jetty Logo
Version: 9.2.2-SNAPSHOT
Contact the core Jetty developers at www.webtide.com

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery

Jetty Security Reports

The following sections provide information about Jetty security issues.

Table 36.1. Resolved Issues

yyyy/mm/ddIDExploitableSeverityAffectsFixed VersionComment
2013/11/27PT-2013-65mediumhigh>=9.0.0 <9.0.59.0.6 418014Alias checking disabled by NTFS errors on Windows.
2013/07/24413684lowmedium>=7.6.9 <9.0.57.6.13,8.1.13,9.0.5 413684Constraints bypassed if unix symlink alias checker used on windows
2011/12/29CERT2011-003CVE-2011-4461highmediumAll versions7.6.0.RCO Jetty-367638Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).
2009/11/05CERT2011-003CERT2011-003mediumhighJVM<1.6u19jetty-7.01.v20091125, jetty-6.1.22Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors.
2009/06/18Jetty-1042lowhigh<=6.1.18, <=7.0.0.M46.1.19, 7.0.0.Rc0Cookie leak between requests sharing a connection.
2009/04/30CERT402580mediumhigh<=6.1.16, <=7.0.0.M2

5.1.15, 6.1.18, 7.0.0.M2

Jetty-1004

View arbitrary disk content in some specific configurations.
2007/12/22CERT553235CVE-2007-6672highmedium6.1.rrc0-6.1.6

6.1.7

CERT553235

Static content visible in WEB-INF and past security constraints.
2007/11/05CERT438616CVE-2007-5614lowlow<6.1.66.1.6rc1 (patch in CVS for jetty5)Single quote in cookie name.
2007/11/05CERT237888>CVE-2007-5613lowlow<6.1.66.1.6rc0 (patch in CVS for jetty5)XSS in demo dup servlet.
2007/11/03CERT212984 >CVE-2007-5615mediummedium<6.1.66.1.6rc0 (patch in CVS for jetty5)CRLF Response splitting.
2006/11/22CVE-2006-6969lowhigh<6.1.0, <6.0.2, <5.1.12, <4.2.276.1.0pre3, 6.0.2, 5.1.12, 4.2.27Session ID predictability.
2006/06/01CVE-2006-2759mediummedium<6.0.*, <6.0.0Beta176.0.0Beta17JSP source visibility.
2006/01/05 mediummedium<5.1.105.1.10Fixed //security constraint bypass on Windows.
2005/11/18CVE-2006-2758mediummedium<5.1.65.1.6, 6.0.0Beta4JSP source visibility.
2004/02/04JSSE 1.0.3_01mediummedium<4.2.74.2.7Upgraded JSSE to obtain downstream security fix.
2002/09/22 highhigh<4.1.04.1.0Fixed CGI servlet remove exploit.
2002/03/12 medium <3.1.74.0.RC2, 3.1.7Fixed // security constraint bypass.
2001/10/21medium high<3.1.33.1.3Fixed trailing null security constraint bypass.

See an error or something missing? Contribute to this documentation at Github!(Generated: 2014-09-30T01:00:38-07:00)