temporalio / graphql-proxy

GraphQL API for Temporal Server
MIT License
3 stars 1 forks source link

jetty-server-9.3.8.v20160314.jar: 11 vulnerabilities (highest severity is: 9.8) - autoclosed #1

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2017-7657 High 9.8 multiple Transitive N/A
CVE-2016-4800 High 9.8 multiple Direct org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0
CVE-2017-7658 High 9.8 multiple Transitive N/A
CVE-2017-9735 High 7.5 jetty-util-9.3.8.v20160314.jar Transitive N/A
CVE-2017-7656 High 7.5 multiple Direct org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605
CVE-2021-28165 High 7.5 jetty-io-9.3.8.v20160314.jar Transitive N/A
CVE-2019-10241 Medium 6.1 multiple Transitive N/A
CVE-2018-12536 Medium 5.3 multiple Transitive N/A
CVE-2019-10247 Medium 5.3 jetty-server-9.3.8.v20160314.jar Direct 9.2.28.v20190418
CVE-2021-28169 Medium 5.3 multiple Direct org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
CVE-2021-34428 Low 3.5 jetty-server-9.3.8.v20160314.jar Direct org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

Details

CVE-2017-7657 ### Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

### jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.

Publish Date: 2018-06-26

URL: CVE-2017-7657

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605

CVE-2016-4800 ### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-util-9.3.8.v20160314.jar

### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.

Publish Date: 2017-04-13

URL: CVE-2016-4800

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4800

Release Date: 2017-04-13

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.9.M0,org.eclipse.jetty:jetty-util:9.3.9.M0,org.eclipse.jetty:jetty-runner:9.3.9.M0

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2017-7658 ### Vulnerable Libraries - jetty-http-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

### jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.

Publish Date: 2018-06-26

URL: CVE-2017-7658

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606

CVE-2017-9735 ### Vulnerable Library - jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.

Publish Date: 2017-06-16

URL: CVE-2017-9735

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784

Release Date: 2017-06-16

Fix Resolution: 9.4.7.RC0

CVE-2017-7656 ### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar

### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.

Publish Date: 2018-06-26

URL: CVE-2017-7656

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667

Release Date: 2018-06-26

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605

CVE-2021-28165 ### Vulnerable Library - jetty-io-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.3.8.v20160314/371e3c2b72d9a9737579ec0fdfd6a2a3ab8b8141/jetty-io-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-io-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

CVE-2019-10241 ### Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

### jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents.

Publish Date: 2019-04-22

URL: CVE-2019-10241

### CVSS 3 Score Details (6.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10241

Release Date: 2019-04-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-servlet:9.2.27,9.3.26,9.4.16,org.eclipse.jetty:jetty-util:9.2.27,9.3.26,9.4.16

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2018-12536 ### Vulnerable Libraries - jetty-util-9.3.8.v20160314.jar, jetty-server-9.3.8.v20160314.jar

### jetty-util-9.3.8.v20160314.jar

Utility classes for Jetty

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-util/9.3.8.v20160314/1d53c7a7e7715e67d6f4edec6c5b328ee162e65/jetty-util-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - jetty-io-9.3.8.v20160314.jar - :x: **jetty-util-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that doesn't match a dynamic url-pattern, and is eventually handled by the DefaultServlet's static file serving, the bad characters can trigger a java.nio.file.InvalidPathException which includes the full path to the base resource directory that the DefaultServlet and/or webapp is using. If this InvalidPathException is then handled by the default Error Handler, the InvalidPathException message is included in the error response, revealing the full server path to the requesting system.

Publish Date: 2018-06-27

URL: CVE-2018-12536

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/commit/ad4dceb1c08679baa2a6a64356fcde5309e13fd8

Release Date: 2018-06-27

Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-util:9.3.24.v20180605,9.4.11.v20180605,org.eclipse.jetty:jetty-servlet:9.3.24.v20180605,9.4.11.v20180605

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2019-10247 ### Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version combination will reveal the configured fully qualified directory base resource location on the output of the 404 error for not finding a Context that matches the requested path. The default server behavior on jetty-distribution and jetty-home will include at the end of the Handler tree a DefaultHandler, which is responsible for reporting this 404 error, it presents the various configured contexts as HTML for users to click through to. This produced HTML includes output that contains the configured fully qualified directory base resource location for each context.

Publish Date: 2019-04-22

URL: CVE-2019-10247

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=546577

Release Date: 2019-04-22

Fix Resolution: 9.2.28.v20190418

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2021-28169 ### Vulnerable Libraries - jetty-server-9.3.8.v20160314.jar, jetty-http-9.3.8.v20160314.jar

### jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library) ### jetty-http-9.3.8.v20160314.jar

Administrative parent pom for Jetty modules

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.3.8.v20160314/127feb7407f4137ff4295b5fa2895845db56710/jetty-http-9.3.8.v20160314.jar

Dependency Hierarchy: - jetty-server-9.3.8.v20160314.jar (Root Library) - :x: **jetty-http-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2021-34428 ### Vulnerable Library - jetty-server-9.3.8.v20160314.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar,/gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.3.8.v20160314/da8366f602f35d4c3177cb081472e2fc4abe04ea/jetty-server-9.3.8.v20160314.jar

Dependency Hierarchy: - :x: **jetty-server-9.3.8.v20160314.jar** (Vulnerable Library)

Found in HEAD commit: 88a939c2c318f8f73d61c143677013b95df9a979

Found in base branch: main

### Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

### CVSS 3 Score Details (3.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Physical - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/eclipse/jetty.project/security/advisories/GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.