org.eclipse.jetty:jetty-server (Maven) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the Maven package org.eclipse.jetty:jetty-server, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (26)
CVE-2016-4800 — CVSS 9.8 (critical): The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass…
CVE-2017-7658 — CVSS 9.8 (critical): In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when…
CVE-2017-7657 — CVSS 9.8 (critical): In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance…
CVE-2019-17638 — CVSS 9.4 (critical): In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to…
CVE-2018-12538 — CVSS 8.8 (high): In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of…
CVE-2015-2080 — CVSS 7.5 (high): The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from process…
CVE-2026-1605 — CVSS 7.5 (high): In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP request, with…
CVE-2017-9735 — CVSS 7.5 (high): Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain…
CVE-2017-7656 — CVSS 7.5 (high): In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance…
CVE-2021-28165 — CVSS 7.5 (high): In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large…
CVE-2018-12545 — CVSS 7.5 (high): In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either large…
CVE-2022-2191 — CVSS 7.5 (high): In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from configured…
CVE-2024-13009 — CVSS 7.2 (high): In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request…
CVE-2006-6969 — CVSS 6.8 (medium): Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using…
CVE-2019-17632 — CVSS 6.1 (medium): In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response…
CVE-2019-10241 — CVSS 6.1 (medium): In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote…
CVE-2024-8184 — CVSS 5.9 (medium): There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause…
CVE-2019-10246 — CVSS 5.3 (medium): In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base…
CVE-2019-10247 — CVSS 5.3 (medium): In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jetty version…
CVE-2011-4461 — CVSS 5.3 (medium): Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions…
CVE-2023-26048 — CVSS 5.3 (medium): Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with…
CVE-2018-12536 — CVSS 5.3 (medium): In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arrives that…
CVE-2020-27223 — CVSS 5.2 (medium): In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple…
CVE-2020-27218 — CVSS 4.8 (medium): In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request…
CVE-2021-34428 — CVSS 2.9 (low): For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method…
CVE-2023-26049 — CVSS 2.4 (low): Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within…