Skip to main content

Reporting Security Issues

There are a number of avenues for reporting security issues to the Jetty project available. If the issue is directly related to Jetty itself then reporting to the Jetty developers is encouraged. The most direct method is to mail security@webtide.com. Since Webtide is comprised of the active committers of the Jetty project this is our preferred reporting method. We are generally flexible in how we work with reporters of security issues but we reserve the right to act in the interests of the Jetty project in all circumstances.

If the issue is related to Eclipse or its Jetty integration then we encourage you to reach out to security@eclipse.org.

If the issue is related to integrations with Jetty we are happy to work with you to identify the proper entity and either of the approaches above is fine.

We prefer that security issues are reported directly to Jetty developers as opposed through GitHub Issues since it has no facility to tag issues as private.

Jetty Security Reports

The following sections provide information about Jetty security issues.

If you would like to report a security issue please follow these instructions.

yyyy/mm/ddIDExploitableSeverityAffectsFixed VersionComment

2019/08/13

CVE-2019-9518

Med

Med

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service.

2019/08/13

CVE-2019-9516

Med

Med

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.

2019/08/13

CVE-2019-9515

Med

Med

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service when an attacker sent a stream of SETTINGS frames to the peer.

2019/08/13

CVE-2019-9514

Med

Med

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.

2019/08/13

CVE-2019-9512

Low

Low

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to ping floods which could lead to a denial of service.

2019/08/13

CVE-2019-9511

Low

Low

< = 9.4.20

9.4.21

Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation which could lead to a denial of service.

2019/04/11

CVE-2019-10247

Med

Med

< = 9.4.16

9.2.28, 9.3.27, 9.4.17

If no webapp was mounted to the root namespace and a 404 was encountered, an HTML page would be generated displaying the fully qualified base resource location for each context.

2019/04/11

CVE-2019-10246

High

High

< = 9.4.16

9.2.28, 9.3.27, 9.4.17

Use of DefaultServlet or ResourceHandler with indexing was vulnerable to XSS behaviors to expose the directory listing on Windows operating systems.

2019/04/11

CVE-2019-10241

High

High

< = 9.4.15

9.2.27, 9.3.26, 9.4.16

Use of DefaultServlet or ResourceHandler with indexing was vulnerable to XSS behaviors to expose the directory listing.

2018/06/25

CVE-2018-12538

High

High

>= 9.4.0, < = 9.4.8

9.4.9

HttpSessions present specifically in the FileSystem’s storage could be hijacked/accessed by an unauthorized user.

2018/06/25

CVE-2018-12536

High

See CWE-202

< = 9.4.10

9.2.25, 9.3.24, 9.4.11

InvalidPathException Message reveals webapp system path.

2018/06/25

CVE-2017-7658

See CWE-444

See CWE-444

< = 9.4.10

9.2.25, 9.3.24, 9.4.11

Too Tolerant Parser, Double Content-Length + Transfer-Encoding + Whitespace.

2018/06/25

CVE-2017-7657

See CWE-444

See CWE-444

< = 9.4.10

9.2.25, 9.3.24, 9.4.11

HTTP/1.1 Request smuggling with carefully crafted body content (Does not apply to HTTP/1.0 or HTTP/2).

2018/06/25

CVE-2017-7656

See CWE-444

See CWE-444

< = 9.4.10

9.2.25, 9.3.24, 9.4.11

HTTP Request Smuggling when used with invalid request headers (for HTTP/0.9).

2016/05/31

CVE-2016-4800

high

high

>= 9.3.0, < = 9.3.8

9.3.9

Alias vulnerability allowing access to protected resources within a webapp on Windows.

2015/02/24

CVE-2015-2080

high

high

>=9.2.3 <9.2.9

9.2.9

JetLeak exposure of past buffers during HttpParser error

2013/11/27

PT-2013-65

medium

high

>=9.0.0 <9.0.5

9.0.6 418014

Alias checking disabled by NTFS errors on Windows.

2013/07/24

413684

low

medium

>=7.6.9 <9.0.5

7.6.13,8.1.13,9.0.5 413684

Constraints bypassed if Unix symlink alias checker used on Windows.

2011/12/29

CERT2011-003 CVE-2011-4461

high

medium

All versions

7.6.0.RCO Jetty-367638

Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).

2009/11/05

CERT2011-003 CERT2011-003

medium

high

JVM<1.6u19

jetty-7.01.v20091125, jetty-6.1.22

Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors.

2009/06/18

Jetty-1042

low

high

< = 6.1.18, < = 7.0.0.M4

6.1.19, 7.0.0.Rc0

Cookie leak between requests sharing a connection.

2009/04/30

CERT402580

medium

high

< = 6.1.16, < = 7.0.0.M2

5.1.15, 6.1.18, 7.0.0.M2

Jetty-1004

View arbitrary disk content in some specific configurations.

2007/12/22

CERT553235 CVE-2007-6672

high

medium

6.1.rrc0-6.1.6

6.1.7

CERT553235

Static content visible in WEB-INF and past security constraints.

2007/11/05

CERT438616 CVE-2007-5614

low

low

<6.1.6

6.1.6rc1 (patch in CVS for jetty5)

Single quote in cookie name.

2007/11/05

CERT237888> CVE-2007-5613

low

low

<6.1.6

6.1.6rc0 (patch in CVS for jetty5)

XSS in demo dup servlet.

2007/11/03

CERT212984 > CVE-2007-5615

medium

medium

<6.1.6

6.1.6rc0 (patch in CVS for jetty5)

CRLF Response splitting.

2006/11/22

CVE-2006-6969

low

high

<6.1.0, <6.0.2, <5.1.12, <4.2.27

6.1.0pre3, 6.0.2, 5.1.12, 4.2.27

Session ID predictability.

2006/06/01

CVE-2006-2759

medium

medium

<6.0.*, <6.0.0Beta17

6.0.0Beta17

JSP source visibility.

2006/01/05

 

medium

medium

<5.1.10

5.1.10

Fixed //security constraint bypass on Windows.

2005/11/18

CVE-2006-2758

medium

medium

<5.1.6

5.1.6, 6.0.0Beta4

JSP source visibility.

2004/02/04

JSSE 1.0.3_01

medium

medium

<4.2.7

4.2.7

Upgraded JSSE to obtain downstream security fix.

2002/09/22

 

high

high

<4.1.0

4.1.0

Fixed CGI servlet remove exploit.

2002/03/12

 

medium

 

<3.1.7

4.0.RC2, 3.1.7

Fixed // security constraint bypass.

2001/10/21

medium

 

high

<3.1.3

3.1.3

Fixed trailing null security constraint bypass.