You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
mend-for-github-combot
changed the title
jetty-servlets-9.4.3.v20170317.jar: 2 vulnerabilities (highest severity is: 5.3)
jetty-servlets-9.4.3.v20170317.jar: 3 vulnerabilities (highest severity is: 5.3)
Oct 16, 2024
Vulnerable Library - jetty-servlets-9.4.3.v20170317.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.3.v20170317/jetty-servlets-9.4.3.v20170317.jar
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-9823
Vulnerable Library - jetty-servlets-9.4.3.v20170317.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.3.v20170317/jetty-servlets-9.4.3.v20170317.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Publish Date: 2024-10-14
URL: CVE-2024-9823
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-7hcf-ppf8-5w5h
Release Date: 2024-10-14
Fix Resolution: 9.4.54.v20240208
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2021-28169
Vulnerable Library - jetty-servlets-9.4.3.v20170317.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.3.v20170317/jetty-servlets-9.4.3.v20170317.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to
/concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.Publish Date: 2021-06-09
URL: CVE-2021-28169
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: 9.4.41.v20210516
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-36479
Vulnerable Library - jetty-servlets-9.4.3.v20170317.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /nifi-nar-bundles/nifi-jetty-bundle/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.3.v20170317/jetty-servlets-9.4.3.v20170317.jar
Dependency Hierarchy:
Found in HEAD commit: 0707e245fb382da58db8bb8ec5ccff5d9ae55c39
Found in base branch: master
Vulnerability Details
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Publish Date: 2023-09-15
URL: CVE-2023-36479
CVSS 3 Score Details (3.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3gh6-v5v9-6v9j
Release Date: 2023-09-15
Fix Resolution: 9.4.52.v20230823
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: