Jump to: navigation, search

Jetty/Jetty Security Reports

Jetty Security Reports

Warning2.png
Some or all of this content remains to be ported to Jetty 9 Documentation.
If you are interested in migrating this content see our contribution guide or contact us.


Resolved Issues

yyyy/mm/dd ID Exploitable Severity Affects Fixed Version Comment
2011/12/29

CERT2011-003

CVE-2011-4461

high high All versions 7.6.0.RC0

Jetty-367638

Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000).
2009/11/05

CERT120541

CVE-2009-3555

medium high JVM<1.6u19 jetty-7.01.v20091125,
jetty-6.1.22
Work around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19

setAllowRenegotiate(true) may be called on connectors
2009/06/18 JETTY-1042 low high <=6.1.18,
<=7.0.0.M4
6.1.19,
7.0.0.Rc0
cookie leak between requests sharing a connection
2009/04/30 CERT402580 medium high <=6.1.16,
<=7.0.0.M2
5.1.15,6.1.18,7.0.0.M2
JETTY-1004
view arbitrary disk content in some specific configurations
2007/12/22 CERT553235
CVE-2007-6672
high medium 6.1.rrc0-6.1.6

6.1.7
JETTY-386

Static content visible in WEB-INF and past security constraints
2007/11/05

CERT438616

CVE-2007-5614

low low < 6.1.6 6.1.6rc1
(patch in CVS for jetty5)
Single quote in cookie name
2007/11/05

CERT237888

CVE-2007-5613

low low < 6.1.6 6.1.6rc1
(patch in CVS for jetty5)
XSS in demo dump servlet
2007/11/03

CERT212984

CVE-2007-5615

medium medium < 6.1.6 6.1.6rc0
(patch in CVS for jetty5)
CRLF Response splitting
2006/11/22 CVE-2006-6969 low high <6.1.0,<6.0.2,
<5.1.12,<4.2.27
6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 Session ID predictability
2006/06/01 CVE-2006-2759 medium medium 6.0.*<6.0.0Beta17 6.0.0Beta17 JSP source visibility
2006/01/05 medium medium <5.1.10 5.1.10 Fixed // security constraint bypass on windows
2005/11/18 CVE-2006-2758 medium medium <5.1.6 5.1.6, 6.0.0Beta4 JSP source visibility
2004/02/04 JSSE 1.0.3_01 medium medium <4.2.7 4.2.7 Upgraded JSSE to obtain downstream security fix
2002/09/22 high high <4.1.0 4.1.0 Fixed CGI servlet remove exploit
2002/03/12 medium
<3.1.7 4.0.RC2, 3.1.7 Fixed // security constraint bypass
2001/10/21 medium <3.1.3 3.1.3 Fixed trailing null security constraint bypass

Known Jetty 6 Issues

none

Known Jetty 5 Issues

ID Explanation

CERT 237888

CVE-2007-5613

The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites.

CERT438616

CVE-2007-5614

HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5.

CERT212984

CVE-2007-5615

The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value.