Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.

Jump to: navigation, search

Difference between revisions of "Jetty/Jetty Security Reports"

m
m
Line 5: Line 5:
 
{| align="top" border="1" cellpadding="1" cellspacing="1"
 
{| align="top" border="1" cellpadding="1" cellspacing="1"
 
|-
 
|-
| scope="col" width="45" | Date
+
| scope="col" width="45" | YYYY MM DD
 
| scope="col" width="225" | ID  
 
| scope="col" width="225" | ID  
 
| scope="col" width="70" | Exploitable  
 
| scope="col" width="70" | Exploitable  
Line 13: Line 13:
 
| scope="col" width="250" | Comment
 
| scope="col" width="250" | Comment
 
|-
 
|-
| 12/29/2011
+
| 2011/12/29  
 
|  
 
|  
[http://www.ocert.org/advisories/ocert-2011-003.html CERT 2011-003]
+
[http://www.ocert.org/advisories/ocert-2011-003.html CERT2011-003]
 
   
 
   
 
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461]
 
[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461 CVE-2011-4461]
Line 27: Line 27:
  
 
|-
 
|-
| 11/5/2009
+
| 2009/11/05
 
|  
 
|  
[http://www.kb.cert.org/vuls/id/120541 CERT 120541]  
+
[http://www.kb.cert.org/vuls/id/120541 CERT120541]  
  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CVE-2009-3555]  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 CVE-2009-3555]  
Line 38: Line 38:
 
| Workaround by turning off SSL renegotiation in Jetty. If using JVM &gt; 1.6u19<br><br>setAllowRenegotiate(true) may be called on connectors
 
| Workaround by turning off SSL renegotiation in Jetty. If using JVM &gt; 1.6u19<br><br>setAllowRenegotiate(true) may be called on connectors
 
|-
 
|-
|7/1/2009
+
| 2009/07/01
 
| [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042]  
 
| [http://jira.codehaus.org/browse/JETTY-1042 JETTY-1042]  
 
| low  
 
| low  
Line 46: Line 46:
 
| cookie leak between requests sharing a connection
 
| cookie leak between requests sharing a connection
 
|-
 
|-
| 4/30/2009
+
| 2009/04/30
 
| [http://www.kb.cert.org/vuls/id/402580 CERT402580]  
 
| [http://www.kb.cert.org/vuls/id/402580 CERT402580]  
 
| medium<span class="Apple-tab-span" style="white-space:pre"> </span>  
 
| medium<span class="Apple-tab-span" style="white-space:pre"> </span>  
Line 54: Line 54:
 
| view arbitrary disk content in some specific configurations
 
| view arbitrary disk content in some specific configurations
 
|-
 
|-
| 12/22/2007
+
| 2007/12/22  
| [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE 2007-6672]<br><br>[http://www.kb.cert.org/vuls/id/553235 CERT 553235]  
+
| [http://www.kb.cert.org/vuls/id/553235 CERT553235] <br>[http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672 CVE-2007-6672]
 
| high  
 
| high  
 
| medium  
 
| medium  
Line 64: Line 64:
 
| Static content visible in WEB-INF and past security constraints
 
| Static content visible in WEB-INF and past security constraints
 
|-
 
|-
| 11/5/2007
+
| 2007/11/05
 
|  
 
|  
 +
[http://www.kb.cert.org/vuls/id/438616 CERT438616]
 +
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614]  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614 CVE-2007-5614]  
 
[http://www.kb.cert.org/vuls/id/438616 CERT 438616]
 
 
| low  
 
| low  
 
| low  
 
| low  
Line 75: Line 75:
 
| Single quote in cookie name
 
| Single quote in cookie name
 
|-
 
|-
| 11/5/2007
+
| 2007/11/05
 
|  
 
|  
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613]  
+
[http://www.kb.cert.org/vuls/id/237888 CERT237888]  
  
[http://www.kb.cert.org/vuls/id/237888 CERT 237888]  
+
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613]  
 
| low  
 
| low  
 
| low  
 
| low  
Line 86: Line 86:
 
| XSS in demo dump servlet
 
| XSS in demo dump servlet
 
|-
 
|-
| 10/3/2007
+
| 2007/10/03
 
|  
 
|  
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615]  
+
[http://www.kb.cert.org/vuls/id/212984 CERT212984]  
  
[http://www.kb.cert.org/vuls/id/212984 CERT 212984]  
+
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615]  
 
| medium  
 
| medium  
 
| medium  
 
| medium  
Line 97: Line 97:
 
| CRLF Response splitting
 
| CRLF Response splitting
 
|-
 
|-
| 11/22/2006
+
| 2006/11/22  
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969]  
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969 CVE-2006-6969]  
 
| low  
 
| low  
Line 105: Line 105:
 
| Session ID predictability
 
| Session ID predictability
 
|-
 
|-
| 6/1/2006
+
| 2006/06/01
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759]  
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759 CVE-2006-2759]  
 
| medium  
 
| medium  
Line 113: Line 113:
 
| JSP source visibility
 
| JSP source visibility
 
|-
 
|-
| 1/5/2006
+
| 2006/01/05
 
|  
 
|  
 
| medium  
 
| medium  
Line 121: Line 121:
 
| Fixed // security constraint bypass on windows
 
| Fixed // security constraint bypass on windows
 
|-
 
|-
| 11/18/2005
+
| 2005/11/18  
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758]  
 
| [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758 CVE-2006-2758]  
 
| medium  
 
| medium  
Line 129: Line 129:
 
| JSP source visibility
 
| JSP source visibility
 
|-
 
|-
| 2/4/2004
+
| 2004/02/04
 
| JSSE 1.0.3_01  
 
| JSSE 1.0.3_01  
 
| medium  
 
| medium  
Line 137: Line 137:
 
| Upgraded JSSE to obtain downstream security fix
 
| Upgraded JSSE to obtain downstream security fix
 
|-
 
|-
| 9/22/2002
+
| 2002/09/22
 
|  
 
|  
 
| high  
 
| high  
Line 145: Line 145:
 
| Fixed CGI servlet remove exploit
 
| Fixed CGI servlet remove exploit
 
|-
 
|-
| 3/12/2002
+
| 2002/03/12
 
|  
 
|  
 
| medium  
 
| medium  
Line 153: Line 153:
 
| Fixed // security constraint bypass
 
| Fixed // security constraint bypass
 
|-
 
|-
| 10/21/2001
+
| 2001/10/21  
 
|  
 
|  
 
| medium  
 
| medium  
Line 174: Line 174:
 
|-
 
|-
 
|  
 
|  
[http://www.kb.cert.org/vuls/id/23788 CERT 23788]  
+
[http://www.kb.cert.org/vuls/id/237888 CERT 237888]  
  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613]  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613 CVE-2007-5613]  
Line 188: Line 188:
 
|-
 
|-
 
|  
 
|  
[http://www.kb.cert.org/vuls/id/212984 CERT 212984]  
+
[http://www.kb.cert.org/vuls/id/212984 CERT212984]  
  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615]  
 
[http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615 CVE-2007-5615]  

Revision as of 11:45, 12 January 2012

Jetty Security Reports

Resolved Issues

YYYY MM DD ID Exploitable Severity Affects Fixed Version Comment
2011/12/29

CERT2011-003

CVE-2011-4461

high high All versions 7.6.0.RC0

Jetty-367638

Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000).
2009/11/05

CERT120541

CVE-2009-3555

medium high JVM<1.6u19 jetty-7.01.v20091125,
jetty-6.1.22 		Workaround by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19

setAllowRenegotiate(true) may be called on connectors
2009/07/01 JETTY-1042 low high <=6.1.18,
<=7.0.0.M4 		6.1.19,
7.0.0.Rc0 		cookie leak between requests sharing a connection
2009/04/30 CERT402580 medium high <=6.1.16,
<=7.0.0.M2 		5.1.15,6.1.18,7.0.0.M2
JETTY-1004 		view arbitrary disk content in some specific configurations
2007/12/22 CERT553235
CVE-2007-6672 		high medium 6.1.rrc0-6.1.6

6.1.7
JETTY-386

Static content visible in WEB-INF and past security constraints
2007/11/05

CERT438616

CVE-2007-5614

low low < 6.1.6 6.1.6rc1
(patch in CVS for jetty5) 		Single quote in cookie name
2007/11/05

CERT237888

CVE-2007-5613

low low < 6.1.6 6.1.6rc1
(patch in CVS for jetty5) 		XSS in demo dump servlet
2007/10/03

CERT212984

CVE-2007-5615

medium medium < 6.1.6 6.1.6rc0
(patch in CVS for jetty5) 		CRLF Response splitting
2006/11/22 CVE-2006-6969 low high <6.1.0,<6.0.2,
<5.1.12,<4.2.27 		6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 Session ID predictability
2006/06/01 CVE-2006-2759 medium medium 6.0.*<6.0.0Beta17 6.0.0Beta17 JSP source visibility
2006/01/05 medium medium <5.1.10 5.1.10 Fixed // security constraint bypass on windows
2005/11/18 CVE-2006-2758 medium medium <5.1.6 5.1.6, 6.0.0Beta4 JSP source visibility
2004/02/04 JSSE 1.0.3_01 medium medium <4.2.7 4.2.7 Upgraded JSSE to obtain downstream security fix
2002/09/22 high high <4.1.0 4.1.0 Fixed CGI servlet remove exploit
2002/03/12 medium
<3.1.7 4.0.RC2, 3.1.7 Fixed // security constraint bypass
2001/10/21 medium <3.1.3 3.1.3 Fixed trailing null security constraint bypass

Known Jetty 6 Issues

none

Known Jetty 5 Issues

ID Explanation

CERT 237888

CVE-2007-5613

The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites.

CERT438616

CVE-2007-5614

HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5.

CERT212984

CVE-2007-5615

The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value.
Retrieved from "https://wiki.eclipse.org/index.php?title=Jetty/Jetty_Security_Reports&oldid=284446"

Back to the top