Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Jetty/Jetty Security Reports"
< Jetty
m |
m |
||
Line 13: | Line 13: | ||
| scope="col" width="225" | Comment | | scope="col" width="225" | Comment | ||
|- | |- | ||
− | | | + | | 12/29/2011 |
− | | | + | | |
− | | | + | | |
− | | | + | [http://www.ocert.org/advisories/ocert-2011-003.html CERT 2011-003] |
− | | | + | [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461] |
− | | | + | |
− | | | + | [https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638 Jetty-367638] |
+ | | high | ||
+ | | high | ||
+ | | All versions | ||
+ | | 7.6.0.RC0 | ||
+ | | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | ||
+ | |||
|- | |- | ||
| 5/11/2009 | | 5/11/2009 | ||
| | | | ||
− | + | [http://www.kb.cert.org/vuls/id/120541 CERT 120541] | |
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CEV-2009-3555] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CEV-2009-3555] | ||
Line 160: | Line 166: | ||
|} | |} | ||
− | === Known Jetty 6 Issues === | + | === Known Jetty 6 Issues === |
none | none | ||
− | ===Known Jetty 5 Issues=== | + | === Known Jetty 5 Issues === |
{| border="1" cellpadding="1" cellspacing="1" | {| border="1" cellpadding="1" cellspacing="1" | ||
|- | |- | ||
| scope="col" width="45" | ID | | scope="col" width="45" | ID | ||
− | | scope="col" width="225" | Explanation | + | | scope="col" width="225" | Explanation |
|- | |- | ||
| | | | ||
− | + | [http://www.kb.cert.org/vuls/id/23788 CERT 23788] | |
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CEV-2007-5613] | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CEV-2007-5613] | ||
+ | |||
| The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | | The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | ||
|- | |- | ||
− | | | + | | |
− | [http://www.kb.cert.org/vuls/id/438616 CERT438616] | + | [http://www.kb.cert.org/vuls/id/438616 CERT438616] [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] |
− | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614] | + | |
| HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | | HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | ||
|- | |- | ||
− | | | + | | |
− | [http://www.kb.cert.org/vuls/id/212984 CERT 212984] | + | [http://www.kb.cert.org/vuls/id/212984 CERT 212984] [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] |
− | [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615] | + | |
| The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | | The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. | ||
|} | |} |
Revision as of 18:14, 11 January 2012
Contents
Jetty Security Reports
Resolved Issues
Date | ID | Exploitable | Severity | Affects | Fixed Version | Comment | |
12/29/2011 | high | high | All versions | 7.6.0.RC0 | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | ||
5/11/2009 | medium | high | JVM<1.6u19 | jetty-7.01.v20091125, jetty-6.1.22 |
Workaround by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors | ||
1/7/2009 | JETTY-1042 | low | high | <=6.1.18, <=7.0.0.M4 | 6.1.19, 7.0.0.Rc0 | cookie leak between requests sharing a connection | |
4/30/2009 | CERT402580 | medium | high | <=6.1.16, <=7.0.0.M2 |
5.1.15,6.1.18,7.0.0.M2 [JETTY-1004 |
view arbitrary disk content in some specific configurations | |
12/22/2007 | CVE 2007-6672 CERT 553235 |
high | medium | 6.1.rrc0-6.1.6 |
6.1.7 |
Static content visible in WEB-INF and past security constraints | |
11/5/2007 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
Single quote in cookie name | ||
11/5/2007 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
XSS in demo dump servlet | ||
10/3/2007 | medium | medium | < 6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) |
CRLF Response splitting | ||
11/22/2006 | CVE-2006-6969 | low | high | <6.1.0,<6.0.2, <5.1.12,<4.2.27 |
6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 | Session ID predictability | |
6/1/2006 | CVE-2006-2759 | medium | medium | 6.0.*<6.0.0Beta17 | 6.0.0Beta17 | JSP source visibility | |
1/5/2006 | medium | medium | <5.1.10 | 5.1.10 | Fixed // security constraint bypass on windows | ||
11/18/2005 | CVE-2006-2758 | medium | medium | <5.1.6 | 5.1.6, 6.0.0Beta4 | JSP source visibility | |
2/4/2004 | JSSE 1.0.3_01 | medium | medium | <4.2.7 | 4.2.7 | Upgraded JSSE to obtain downstream security fix | |
9/22/2002 | high | high | <4.1.0 | 4.1.0 | Fixed CGI servlet remove exploit | ||
3/12/2002 | medium | |
<3.1.7 | 4.0.RC2, 3.1.7 | Fixed // security constraint bypass | ||
10/21/2006 | medium | <3.1.3 | 3.1.3 | Fixed trailing null security constraint bypass |
Known Jetty 6 Issues
none
Known Jetty 5 Issues
ID | Explanation |
The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | |
HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | |
The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. |