jetty-server-9.4.26.v20200117.jar: 4 vulnerabilities (highest severity is: 5.3)

[dev-mend-for-github-com]

Vulnerable Library - jetty-server-9.4.26.v20200117.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /server/impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar

Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jetty-server version)	Remediation Possible**	Reachability
CVE-2023-26048	Medium	5.3	jetty-server-9.4.26.v20200117.jar	Direct	9.4.51.v20230217	✅
CVE-2021-28169	Medium	5.3	jetty-server-9.4.26.v20200117.jar	Direct	9.4.41.v20210516	✅
CVE-2020-27218	Medium	4.8	jetty-server-9.4.26.v20200117.jar	Direct	9.4.35.v20201120	✅
CVE-2021-34428	Low	3.5	jetty-server-9.4.26.v20200117.jar	Direct	9.4.41.v20210516	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-26048

Vulnerable Library - jetty-server-9.4.26.v20200117.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /server/impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar

Dependency Hierarchy:

• ❌ jetty-server-9.4.26.v20200117.jar (Vulnerable Library)

Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f

Found in base branch: master

Vulnerability Details

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Publish Date: 2023-04-18

URL: CVE-2023-26048

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qw69-rqj8-6qw8

Release Date: 2023-04-18

Fix Resolution: 9.4.51.v20230217

In order to enable automatic remediation, please create workflow rules

CVE-2021-28169

Vulnerable Library - jetty-server-9.4.26.v20200117.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /server/impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar

Dependency Hierarchy:

• ❌ jetty-server-9.4.26.v20200117.jar (Vulnerable Library)

Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: 9.4.41.v20210516

In order to enable automatic remediation, please create workflow rules

CVE-2020-27218

Vulnerable Library - jetty-server-9.4.26.v20200117.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /server/impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar

Dependency Hierarchy:

• ❌ jetty-server-9.4.26.v20200117.jar (Vulnerable Library)

Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f

Found in base branch: master

Vulnerability Details

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Publish Date: 2020-11-28

URL: CVE-2020-27218

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-86wm-rrjm-8wh8

Release Date: 2020-11-28

Fix Resolution: 9.4.35.v20201120

In order to enable automatic remediation, please create workflow rules

CVE-2021-34428

Vulnerable Library - jetty-server-9.4.26.v20200117.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /server/impl/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.26.v20200117/jetty-server-9.4.26.v20200117.jar

Dependency Hierarchy:

• ❌ jetty-server-9.4.26.v20200117.jar (Vulnerable Library)

Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Physical
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: 9.4.41.v20210516

In order to enable automatic remediation, please create workflow rules

---

In order to enable automatic remediation for this issue, please create workflow rules