Skip to main content

Jetty

36 CVEs product

Monthly

CVE-2026-1605 Maven HIGH PATCH This Week

Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.

Jetty Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-11143 Maven LOW PATCH Monitor

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. [CVSS 3.7 LOW]

Code Injection Jetty
NVD GitHub HeroDevs VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-5115 Maven HIGH PATCH This Month

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Red Hat Suse
NVD GitHub
CVSS 4.0
7.7
EPSS
0.1%
CVE-2025-1948 Maven HIGH PATCH This Week

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Red Hat
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
CVE-2024-13009 Maven HIGH PATCH This Week

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jetty Red Hat Suse
NVD GitHub
CVSS 3.1
7.2
EPSS
0.6%
CVE-2024-8184 Maven MEDIUM PATCH This Month

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Jetty
NVD GitHub
CVSS 3.1
6.5
EPSS
1.0%
CVE-2024-6763 Maven MEDIUM POC PATCH This Month

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Open Redirect Jetty
NVD GitHub
CVSS 3.1
5.3
EPSS
1.0%
CVE-2024-6762 Maven MEDIUM PATCH This Month

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Jetty
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-9823 Maven HIGH PATCH This Week

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Bootstrap Os Active Iq Unified Manager
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-22201 Maven HIGH PATCH This Week

Jetty is a Java based web server and servlet engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Jetty Debian Linux Active Iq Unified Manager +1
NVD GitHub
CVSS 3.1
7.5
EPSS
1.4%
CVE-2023-36478 Maven HIGH POC PATCH This Week

Eclipse Jetty provides a web server and servlet container. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Denial Of Service Jetty Jenkins Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
3.8%
CVE-2023-41900 Maven MEDIUM POC PATCH This Month

Jetty is a Java based web server and servlet engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java Authentication Bypass Jetty Debian Linux
NVD GitHub
CVSS 3.1
4.3
EPSS
0.8%
CVE-2023-40167 Maven MEDIUM PATCH This Month

Jetty is a Java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jetty Debian Linux
NVD GitHub
CVSS 3.1
5.3
EPSS
1.1%
CVE-2023-36479 Maven LOW POC PATCH Monitor

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Canonical Information Disclosure Jetty Debian Linux
NVD GitHub
CVSS 3.1
3.1
EPSS
1.0%
CVE-2023-26049 Maven MEDIUM PATCH This Month

Jetty is a java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Java Information Disclosure Jetty Debian Linux Active Iq Unified Manager +3
NVD GitHub
CVSS 3.1
5.3
EPSS
1.3%
CVE-2023-26048 Maven MEDIUM PATCH This Month

Jetty is a java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Java Denial Of Service Jetty
NVD GitHub
CVSS 3.1
5.3
EPSS
3.3%
CVE-2022-2191 Maven HIGH POC PATCH This Week

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jetty
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2022-2048 Maven HIGH PATCH This Week

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Debian Linux Element Plug In For Vcenter Server Management Services For Element Software And Netapp Hci +4
NVD GitHub
CVSS 3.1
7.5
EPSS
2.3%
CVE-2022-2047 Maven LOW PATCH Monitor

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Jetty Debian Linux Element Plug In For Vcenter Server Management Services For Element Software And Netapp Hci +3
NVD GitHub
CVSS 3.1
2.7
EPSS
1.2%
CVE-2021-34429 Maven MEDIUM POC PATCH THREAT This Month

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jetty E Series Santricity Os Controller E Series Santricity Web Services Element Plug In For Vcenter Server +14
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
99.3%
CVE-2021-34428 Maven LOW PATCH Monitor

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Jetty Debian Linux Active Iq Unified Manager E Series Santricity Os Controller +12
NVD GitHub
CVSS 3.1
3.5
EPSS
1.0%
CVE-2021-28169 Maven MEDIUM POC PATCH THREAT This Month

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Jetty Debian Linux Communications Cloud Native Core Policy Rest Data Services +4
NVD GitHub
CVSS 3.1
5.3
EPSS
78.5%
CVE-2021-28165 Maven HIGH POC PATCH THREAT This Week

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Jetty Autovue For Agile Product Lifecycle Management Communications Cloud Native Core Policy Communications Element Manager +17
NVD GitHub
CVSS 3.1
7.5
EPSS
53.9%
CVE-2021-28164 Maven MEDIUM POC PATCH THREAT This Month

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jetty Cloud Manager E Series Performance Analyzer E Series Santricity Os Controller +13
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
82.4%
CVE-2021-28163 Maven LOW POC PATCH Monitor

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Jetty Fedora Ignite Solr +19
NVD GitHub
CVSS 3.1
2.7
EPSS
4.2%
CVE-2020-27218 Maven MEDIUM PATCH This Month

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Code Injection Jetty Oncommand System Manager Snap Creator Framework Blockchain Platform +13
NVD GitHub
CVSS 3.1
4.8
EPSS
8.1%
CVE-2020-27216 Maven HIGH POC PATCH This Week

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between. Rated high severity (CVSS 7.0). Public exploit code available.

Privilege Escalation Jetty Snap Creator Framework Snapcenter Vasa Provider +14
NVD GitHub
CVSS 3.1
7.0
EPSS
4.3%
CVE-2019-17632 Maven MEDIUM PATCH This Month

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jetty
NVD
CVSS 3.1
6.1
EPSS
1.9%
CVE-2019-10247 Maven MEDIUM PATCH This Month

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Oncommand System Manager Snap Creator Framework Snapcenter +22
NVD
CVSS 3.1
5.3
EPSS
5.8%
CVE-2019-10246 Maven MEDIUM PATCH This Month

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Jetty Oncommand System Manager Snap Creator Framework +22
NVD
CVSS 3.1
5.3
EPSS
4.0%
CVE-2019-10241 Maven MEDIUM PATCH This Month

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jetty Debian Linux Activemq Drill +3
NVD
CVSS 3.1
6.1
EPSS
9.6%
CVE-2018-12536 Maven MEDIUM PATCH This Month

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Retail Xstore Point Of Service
NVD
CVSS 3.1
5.3
EPSS
4.3%
CVE-2018-12538 Maven HIGH PATCH This Week

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jetty E Series Santricity Management Plug Ins E Series Santricity Os Controller E Series Santricity Web Services Proxy +8
NVD
CVSS 3.0
8.8
EPSS
2.7%
CVE-2017-9735 Maven HIGH PATCH This Week

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Debian Linux Communications Cloud Native Core Policy Enterprise Manager Base Platform +3
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2016-4800 Maven CRITICAL PATCH Act Now

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Authentication Bypass Jetty
NVD
CVSS 3.0
9.8
EPSS
0.6%
CVE-2015-2080 Maven HIGH POC PATCH THREAT Act Now

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.4%.

Information Disclosure Fedora Jetty
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
92.4%
Threat
5.8
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Eclipse Jetty 12.0.0 through 12.0.31 and 12.1.0 through 12.1.5 suffer from a denial-of-service vulnerability in GzipHandler where decompressor resources leak when processing gzip-compressed requests that generate uncompressed responses. An unauthenticated remote attacker can exhaust server memory by repeatedly sending compressed requests, causing service degradation or unavailability. No patch is currently available.

Jetty Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsing of URIs in systems using multiple components may result in security by-pass. [CVSS 3.7 LOW]

Code Injection Jetty
NVD GitHub HeroDevs VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Month

In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to send RST_STREAM frames, for example by sending frames that are. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Red Hat +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings parameter SETTINGS_MAX_HEADER_LIST_SIZE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Red Hat
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Jetty Red Hat +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Jetty
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

SSRF Open Redirect Jetty
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s memory. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Jetty
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Bootstrap Os +1
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jetty is a Java based web server and servlet engine. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Denial Of Service Jetty +3
NVD GitHub
EPSS 4% CVSS 7.5
HIGH POC PATCH This Week

Eclipse Jetty provides a web server and servlet container. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Integer Overflow Denial Of Service Jetty +2
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM POC PATCH This Month

Jetty is a Java based web server and servlet engine. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Java Authentication Bypass Jetty +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jetty is a Java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Java Information Disclosure Jetty +1
NVD GitHub
EPSS 1% CVSS 3.1
LOW POC PATCH Monitor

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable. Public exploit code available.

Canonical Information Disclosure Jetty +1
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

Jetty is a java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Java Information Disclosure Jetty +5
NVD GitHub
EPSS 3% CVSS 5.3
MEDIUM PATCH This Month

Jetty is a java based web server and servlet engine. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Java Denial Of Service Jetty
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured ByteBufferPool in case of error code paths. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Jetty
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can wind up not properly cleaning up the active connections and. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Jetty Debian Linux +6
NVD GitHub
EPSS 1% CVSS 2.7
LOW PATCH Monitor

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Jetty Debian Linux +5
NVD GitHub
EPSS 99% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jetty E Series Santricity Os Controller +16
NVD GitHub Exploit-DB
EPSS 1% CVSS 3.5
LOW PATCH Monitor

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID. Rated low severity (CVSS 3.5), this vulnerability is no authentication required, low attack complexity.

Information Disclosure Jetty Debian Linux +14
NVD GitHub
EPSS 78% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Jetty Debian Linux +6
NVD GitHub
EPSS 54% CVSS 7.5
HIGH POC PATCH THREAT This Week

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Jetty Autovue For Agile Product Lifecycle Management +19
NVD GitHub
EPSS 82% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Jetty Cloud Manager +15
NVD GitHub Exploit-DB
EPSS 4% CVSS 2.7
LOW POC PATCH Monitor

In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a. Rated low severity (CVSS 2.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Jetty Fedora +21
NVD GitHub
EPSS 8% CVSS 4.8
MEDIUM PATCH This Month

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Code Injection Jetty Oncommand System Manager +15
NVD GitHub
EPSS 4% CVSS 7.0
HIGH POC PATCH This Week

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between. Rated high severity (CVSS 7.0). Public exploit code available.

Privilege Escalation Jetty Snap Creator Framework +16
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Jetty
NVD
EPSS 6% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Oncommand System Manager +24
NVD
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Jetty +24
NVD
EPSS 10% CVSS 6.1
MEDIUM PATCH This Month

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Jetty Debian Linux +5
NVD
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Retail Xstore Point Of Service
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Jetty E Series Santricity Management Plug Ins +10
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Jetty Debian Linux +5
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Microsoft Authentication Bypass Jetty
NVD
EPSS 92% 5.8 CVSS 7.5
HIGH POC PATCH THREAT Act Now

The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process memory via illegal characters in an HTTP header, aka JetLeak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.4%.

Information Disclosure Fedora Jetty
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy