Jetty Logo
Version: 9.2.3.v20140905
Contact the core Jetty developers at

private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery

Jetty Security Reports

The following sections provide information about Jetty security issues.

Table 36.1. Resolved Issues

yyyy/mm/ddIDExploitableSeverityAffectsFixed VersionComment
2013/11/27PT-2013-65mediumhigh>=9.0.0 < 418014Alias checking disabled by NTFS errors on Windows.
2013/07/24413684lowmedium>=7.6.9 <,8.1.13,9.0.5 413684Constraints bypassed if unix symlink alias checker used on windows
2011/12/29CERT2011-003CVE-2011-4461highmediumAll versions7.6.0.RCO Jetty-367638Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).
2009/11/05CERT2011-003CERT2011-003mediumhighJVM<1.6u19jetty-7.01.v20091125, jetty-6.1.22Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors.
2009/06/18Jetty-1042lowhigh<=6.1.18, <=7.0.0.M46.1.19, 7.0.0.Rc0Cookie leak between requests sharing a connection.
2009/04/30CERT402580mediumhigh<=6.1.16, <=7.0.0.M2

5.1.15, 6.1.18, 7.0.0.M2


View arbitrary disk content in some specific configurations.



Static content visible in WEB-INF and past security constraints.
2007/11/05CERT438616CVE-2007-5614lowlow< (patch in CVS for jetty5)Single quote in cookie name.
2007/11/05CERT237888>CVE-2007-5613lowlow< (patch in CVS for jetty5)XSS in demo dup servlet.
2007/11/03CERT212984 >CVE-2007-5615mediummedium< (patch in CVS for jetty5)CRLF Response splitting.
2006/11/22CVE-2006-6969lowhigh<6.1.0, <6.0.2, <5.1.12, <, 6.0.2, 5.1.12, 4.2.27Session ID predictability.
2006/06/01CVE-2006-2759mediummedium<6.0.*, <6.0.0Beta176.0.0Beta17JSP source visibility.
2006/01/05 mediummedium< //security constraint bypass on Windows.
2005/11/18CVE-2006-2758mediummedium<, 6.0.0Beta4JSP source visibility.
2004/02/04JSSE 1.0.3_01mediummedium< JSSE to obtain downstream security fix.
2002/09/22 highhigh< CGI servlet remove exploit.
2002/03/12 medium <, 3.1.7Fixed // security constraint bypass.
2001/10/21medium high< trailing null security constraint bypass.

See an error or something missing? Contribute to this documentation at Github!(Generated: 2014-10-24T01:00:41-07:00)