Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Jetty/Jetty Security Reports
Contents
Jetty Security Reports
Resolved Issues
| YYYY MM DD | ID | Exploitable | Severity | Affects | Fixed Version | Comment |
| 2011/12/29 | high | high | All versions | 7.6.0.RC0 | Added ContextHandler.setMaxFormKeys(int keys) to limit the number of parameters (default 1000). | |
| 2009/11/05 | medium | high | JVM<1.6u19 | jetty-7.01.v20091125, jetty-6.1.22 |
Workaround by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19 setAllowRenegotiate(true) may be called on connectors | |
| 2009/07/01 | JETTY-1042 | low | high | <=6.1.18, <=7.0.0.M4 |
6.1.19, 7.0.0.Rc0 |
cookie leak between requests sharing a connection |
| 2009/04/30 | CERT402580 | medium | high | <=6.1.16, <=7.0.0.M2 |
5.1.15,6.1.18,7.0.0.M2 JETTY-1004 |
view arbitrary disk content in some specific configurations |
| 2007/12/22 | CERT553235 CVE-2007-6672 |
high | medium | 6.1.rrc0-6.1.6 |
6.1.7 |
Static content visible in WEB-INF and past security constraints |
| 2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
Single quote in cookie name | |
| 2007/11/05 | low | low | < 6.1.6 | 6.1.6rc1 (patch in CVS for jetty5) |
XSS in demo dump servlet | |
| 2007/10/03 | medium | medium | < 6.1.6 | 6.1.6rc0 (patch in CVS for jetty5) |
CRLF Response splitting | |
| 2006/11/22 | CVE-2006-6969 | low | high | <6.1.0,<6.0.2, <5.1.12,<4.2.27 |
6.1.0pre3, 6.0.2, 5.1.12, 4.2.27 | Session ID predictability |
| 2006/06/01 | CVE-2006-2759 | medium | medium | 6.0.*<6.0.0Beta17 | 6.0.0Beta17 | JSP source visibility |
| 2006/01/05 | medium | medium | <5.1.10 | 5.1.10 | Fixed // security constraint bypass on windows | |
| 2005/11/18 | CVE-2006-2758 | medium | medium | <5.1.6 | 5.1.6, 6.0.0Beta4 | JSP source visibility |
| 2004/02/04 | JSSE 1.0.3_01 | medium | medium | <4.2.7 | 4.2.7 | Upgraded JSSE to obtain downstream security fix |
| 2002/09/22 | high | high | <4.1.0 | 4.1.0 | Fixed CGI servlet remove exploit | |
| 2002/03/12 | medium | |
<3.1.7 | 4.0.RC2, 3.1.7 | Fixed // security constraint bypass | |
| 2001/10/21 | medium | <3.1.3 | 3.1.3 | Fixed trailing null security constraint bypass |
Known Jetty 6 Issues
none
Known Jetty 5 Issues
| ID | Explanation |
| The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites. | |
| HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5. | |
| The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value. |