All errata/sisyphus/ALT-PU-2024-15998-2
ALT-PU-2024-15998-2

Package update jetty in branch sisyphus

Version9.4.56-alt1
Task#363120
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (46)

BDU:2021-03243
LOW2.9

Уязвимость метода SessionListener#sessionDestroyed() контейнера сервлетов Eclipse Jetty, позволяющая нарушителю повысить свои привилегии

Published: 2021-06-25Modified: 2022-10-18
CVSS 3.xLOW 2.9
CVSS:3.x/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS 2.0LOW 2.6
CVSS:2.0/AV:L/AC:H/Au:N/C:P/I:P/A:N
References
BDU:2022-01815
MEDIUM5.3

Уязвимость контейнера сервлетов Jetty, связанная с неправильной авторизацией, позволяющая нарушителю получить доступ к конфиденциальным данным

Published: 2022-04-05Modified: 2022-10-18
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2023-00477
LOW2.7

Уязвимость контейнера сервлетов Eclipse Jetty, существующая из-за недостаточной проверки входных данных, позволяющая нарушителю привести к сбоям в сценарии прокси

Published: 2023-01-31Modified: 2023-09-13
CVSS 3.xLOW 2.7
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
References
BDU:2023-05675
MEDIUM5.3

Уязвимость функций HttpServletRequest.getParameter() иHttpServletRequest.getParts() контейнера сервлетов Eclipse Jetty, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-15Modified: 2026-02-10
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0CRITICAL 10.0
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2023-05680
MEDIUM5.3

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с отсутствием защиты служебных данных, позволяющая нарушителю получить конфиденциальную информацию

Published: 2023-09-15Modified: 2024-01-10
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2023-05681
HIGH7.5

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с недостаточным управлением системными ресурсами, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-09-15Modified: 2024-01-11
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2023-05682
MEDIUM5.3

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с ошибками проверки синтаксической корректности ввода, позволяющая нарушителю внедрить одни cookies внутрь других и повлиять на их обработку

Published: 2023-09-15Modified: 2026-02-10
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2023-06394
MEDIUM4.3

Уязвимость класса OpenIdAuthenticator контейнера сервлетов Eclipse Jetty, позволяющая нарушителю обойти ограничения безопасности

Published: 2023-10-06Modified: 2024-04-04
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
References
BDU:2023-06559
HIGH7.5

Уязвимость реализации протокола HTTP/2, связанная с возможностью формирования потока запросов в рамках уже установленного сетевого соединения, без открытия новых сетевых соединений и без подтверждения получения пакетов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2023-10-11Modified: 2026-05-06
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-02254
MEDIUM5.3

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с ошибками при обработке параметров длины входных данных, позволяющая нарушителю выполнять атаку «контрабанда HTTP-запросов»

Published: 2024-03-22Modified: 2024-07-30
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
BDU:2024-03239
HIGH7.5

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю ограничить сервер на принятие новые соединения от действительных клиентов

Published: 2024-04-25Modified: 2024-08-26
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C
References
BDU:2024-05833
MEDIUM4.3

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неправильной нейтрализацией синтаксиса цитирования, позволяющая нарушителю выполнить произвольный код

Published: 2024-07-31Modified: 2024-08-26
CVSS 3.xMEDIUM 4.3
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
References
BDU:2024-11324
MEDIUM5.3

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании (DoS)

Published: 2024-12-19Modified: 2025-06-09
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2025-03454
MEDIUM6.5

Уязвимость контейнера сервлетов Eclipse Jetty, связанная с неконтролируемым потреблением ресурсов, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2025-03-27Modified: 2026-02-10
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:N/A:C
References
CVE-2021-28169
MEDIUM5.3

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Published: 2021-06-09Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2021-34428
LOW3.5

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Published: 2021-06-22Modified: 2024-11-21
CVSS 2.0LOW 3.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:N
CVSS 3.xLOW 3.5
CVSS:3.x/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References
CVE-2021-34429
MEDIUM5.3

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc5.

Published: 2021-07-15Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2022-2047
LOW2.7

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Published: 2022-07-07Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:N/I:P/A:N
CVSS 3.xLOW 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
References
CVE-2022-2048
HIGH7.5

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and associated resources. This can lead to a Denial of Service scenario where there are no enough resources left to process good requests.

Published: 2022-07-07Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2023-26048
MEDIUM5.3

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Published: 2023-04-18Modified: 2024-11-21
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
CVE-2023-26049
MEDIUM5.3

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"` will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.

Published: 2023-04-18Modified: 2024-11-21
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
CVE-2023-36478
HIGH7.5

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

Published: 2023-10-10Modified: 2024-11-21
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2023-36479
LOW3.1

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Published: 2023-09-15Modified: 2025-05-27
CVSS 3.xLOW 3.1
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
References
CVE-2023-40167
MEDIUM5.3

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Published: 2023-09-15Modified: 2024-11-21
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2023-41900
MEDIUM4.3

Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current request will still treat the user as authenticated. The authentication is then cleared from the session and subsequent requests will not be treated as authenticated. So a request on a previously authenticated session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This impacts usages of the jetty-openid which have configured a nested `LoginService` and where that `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and 11.0.16 have a patch for this issue.

Published: 2023-09-15Modified: 2024-11-21
CVSS 3.xMEDIUM 4.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
References
CVE-2023-44487
HIGH7.5

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Published: 2023-10-10Modified: 2025-11-07
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-22201
HIGH7.5

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

Published: 2024-02-26Modified: 2025-02-13
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-8184
MEDIUM6.5

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

Published: 2024-10-14Modified: 2025-11-03
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
CVE-2024-9823
HIGH7.5

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

Published: 2024-10-14Modified: 2025-11-03
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-3gh6-v5v9-6v9j
LOW3.5

Jetty vulnerable to errant command quoting in CGI Servlet

Published: 2023-09-14Modified: 2025-02-13
CVSS 3.xLOW 3.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
References
GHSA-cj7v-27pg-wf7q
LOW2.7

Jetty invalid URI parsing may produce invalid HttpURI.authority

Published: 2022-07-07Modified: 2022-07-19
CVSS 3.xLOW 2.7
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
References
GHSA-g8m5-722r-8whq
MEDIUM5.9

Eclipse Jetty's ThreadLimitHandler.getRemote() vulnerable to remote DoS attacks

Published: 2024-10-15Modified: 2025-11-04
CVSS 3.xMEDIUM 5.9
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-gwcr-j4wh-j3cq
MEDIUM5.3

Jetty Utility Servlets ConcatServlet Double Decoding Information Disclosure Vulnerability

Published: 2021-06-10Modified: 2022-02-09
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
GHSA-hmr7-m48g-48f6
MEDIUM5.3

Jetty accepts "+" prefixed value in Content-Length

Published: 2023-09-14Modified: 2023-10-03
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
GHSA-j26w-f9rq-mr2q
MEDIUM5.3

Eclipse Jetty has a denial of service vulnerability on DosFilter

Published: 2024-10-14Modified: 2025-11-04
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-m6cp-vxjx-65j6
LOW3.5

SessionListener can prevent a session from being invalidated breaking logout

Published: 2021-06-23Modified: 2022-02-09
CVSS 3.xLOW 3.5
CVSS:3.x/CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
References
GHSA-p26g-97m4-6q7c
LOW2.4

Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

Published: 2023-04-19
CVSS 3.xLOW 2.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
References
GHSA-pwh8-58vv-vw48
LOW3.5

Jetty's OpenId Revoked authentication allows one request

Published: 2023-09-15Modified: 2024-09-10
CVSS 3.xLOW 3.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
References
GHSA-qppj-fm5r-hxr3
MEDIUM6.9

HTTP/2 Stream Cancellation Attack

Published: 2023-10-11Modified: 2025-10-22
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:H
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:A
References
GHSA-qw69-rqj8-6qw8
MEDIUM5.3

OutOfMemoryError for large multipart without filename in Eclipse Jetty

Published: 2023-04-19
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
References
GHSA-rggv-cv7r-mw98
HIGH7.5

Connection leaking on idle timeout when TCP congested

Published: 2024-02-26Modified: 2025-02-07
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-vjv5-gp2w-65vm
MEDIUM5.3

Encoded URIs can access WEB-INF directory in Eclipse Jetty

Published: 2021-07-19Modified: 2022-04-19
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
References
GHSA-wgh7-54f2-x98r
HIGH7.5

HTTP/2 HPACK integer overflow and buffer allocation

Published: 2023-10-11Modified: 2024-06-22
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-wgmr-mf83-7x4j
HIGH7.5

Jetty vulnerable to Invalid HTTP/2 requests that can lead to denial of service

Published: 2022-07-07Modified: 2022-07-19
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
GHSA-xpw8-rcwv-8f8p
HIGH7.5

io.netty:netty-codec-http2 vulnerable to HTTP/2 Rapid Reset Attack

Published: 2023-10-11Modified: 2023-11-07
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References