Closed mend-for-github-com[bot] closed 2 years ago
:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.
Vulnerable Library - jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Vulnerabilities
Details
CVE-2017-7657
### Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar### jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605
CVE-2016-4800
### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-util-9.3.8.v20160314.jar### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsThe path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
Publish Date: 2017-04-13
URL: CVE-2016-4800
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4800
Release Date: 2017-04-13
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2017-7658
### Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar### jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
### CVSS 3 Score Details (9.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606
CVE-2017-9735
### Vulnerable Library - jetty-util-9.3.8.v20160314.jarUtility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsJetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
Publish Date: 2017-06-16
URL: CVE-2017-9735
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
Release Date: 2017-06-16
Fix Resolution: 9.4.7.RC0
CVE-2017-7656
### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publish Date: 2018-06-26
URL: CVE-2017-7656
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605
CVE-2021-28165
### Vulnerable Library - jetty-io-9.3.8.v20160314.jarAdministrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.3.8.v20160314/371e3c2b72d9a9737579ec0fdfd6a2a3ab8b8141/jetty-io-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-io-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
CVE-2019-10241
### Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar### jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.
Publish Date: 2019-04-22
URL: CVE-2019-10241
### CVSS 3 Score Details (6.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241
Release Date: 2019-04-22
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2018-12536
### Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar### jetty-util-9.3.8.v20160314.jar
Utility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.
Publish Date: 2018-06-27
URL: CVE-2018-12536
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/commit/ad4dceb1c08679baa2a6a64356fcde5309e13fd8
Release Date: 2018-06-27
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2019-10247
### Vulnerable Library - jetty-server-9.3.8.v20160314.jarThe core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsIn Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.
Publish Date: 2019-04-22
URL: CVE-2019-10247
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577
Release Date: 2019-04-22
Fix Resolution: 9.2.28.v20190418
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2021-28169
### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar### jetty-server-9.3.8.v20160314.jar
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-http-9.3.8.v20160314.jar
Administrative parent pom for Jetty modules
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar
Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
:rescue_worker_helmet: Automatic Remediation is available for this issueCVE-2021-34428
### Vulnerable Library - jetty-server-9.3.8.v20160314.jarThe core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar
Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)
Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979
Found in base branch: main
### Vulnerability DetailsFor Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Publish Date: 2021-06-22
URL: CVE-2021-34428
### CVSS 3 Score Details (3.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Physical - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6
Release Date: 2021-06-22
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.