jetty-server-9.3.8.v20160314.jar: 11 vulnerabilities (highest severity is: 9.8) - autoclosed
Closed this issue · 1 comments
Vulnerable Library - jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-7657 | High | 9.8 | multiple | Transitive | N/A | ❌ |
CVE-2016-4800 | High | 9.8 | multiple | Direct | org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0 | ✅ |
CVE-2017-7658 | High | 9.8 | multiple | Transitive | N/A | ❌ |
CVE-2017-9735 | High | 7.5 | jetty-util-9.3.8.v20160314.jar | Transitive | N/A | ❌ |
CVE-2017-7656 | High | 7.5 | multiple | Direct | org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605 | ❌ |
CVE-2021-28165 | High | 7.5 | jetty-io-9.3.8.v20160314.jar | Transitive | N/A | ❌ |
CVE-2019-10241 | Medium | 6.1 | multiple | Transitive | N/A | ✅ |
CVE-2018-12536 | Medium | 5.3 | multiple | Transitive | N/A | ✅ |
CVE-2019-10247 | Medium | 5.3 | jetty-server-9.3.8.v20160314.jar | Direct | 9.2.28.v20190418 | ✅ |
CVE-2021-28169 | Medium | 5.3 | multiple | Direct | org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3 | ✅ |
CVE-2021-34428 | Low | 3.5 | jetty-server-9.3.8.v20160314.jar | Direct | org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3 | ✅ |
Details
CVE-2017-7657
Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar
jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605
CVE-2016-4800
Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-util-9.3.8.v20160314.jar
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- jetty-io-9.3.8.v20160314.jar
- ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)
- jetty-io-9.3.8.v20160314.jar
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
Publish Date: 2017-04-13
URL: CVE-2016-4800
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4800
Release Date: 2017-04-13
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0
⛑️ Automatic Remediation is available for this issue
CVE-2017-7658
Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar
jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606
CVE-2017-9735
Vulnerable Library - jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- jetty-io-9.3.8.v20160314.jar
- ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)
- jetty-io-9.3.8.v20160314.jar
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Publish Date: 2017-06-16
URL: CVE-2017-9735
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
Release Date: 2017-06-16
Fix Resolution: 9.4.7.RC0
CVE-2017-7656
Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publish Date: 2018-06-26
URL: CVE-2017-7656
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605
CVE-2021-28165
Vulnerable Library - jetty-io-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.3.8.v20160314/371e3c2b72d9a9737579ec0fdfd6a2a3ab8b8141/jetty-io-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- ❌ jetty-io-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
CVE-2019-10241
Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar
jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- jetty-io-9.3.8.v20160314.jar
- ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)
- jetty-io-9.3.8.v20160314.jar
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Publish Date: 2019-04-22
URL: CVE-2019-10241
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
Release Date: 2019-04-22
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16
⛑️ Automatic Remediation is available for this issue
CVE-2018-12536
Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar
jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- jetty-io-9.3.8.v20160314.jar
- ❌ jetty-util-9.3.8.v20160314.jar (Vulnerable Library)
- jetty-io-9.3.8.v20160314.jar
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Publish Date: 2018-06-27
URL: CVE-2018-12536
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: jetty/jetty.project@ad4dceb
Release Date: 2018-06-27
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605
⛑️ Automatic Remediation is available for this issue
CVE-2019-10247
Vulnerable Library - jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Publish Date: 2019-04-22
URL: CVE-2019-10247
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
Release Date: 2019-04-22
Fix Resolution: 9.2.28.v20190418
⛑️ Automatic Remediation is available for this issue
CVE-2021-28169
Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar
jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy:
- jetty-server-9.3.8.v20160314.jar (Root Library)
- ❌ jetty-http-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
⛑️ Automatic Remediation is available for this issue
CVE-2021-34428
Vulnerable Library - jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy:
- ❌ jetty-server-9.3.8.v20160314.jar (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Publish Date: 2021-06-22
URL: CVE-2021-34428
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Physical
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-m6cp-vxjx-65j6
Release Date: 2021-06-22
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
✔️ This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.