threat
engine
.sh
Back
·
··:··
Home
/
Product
/
eclipse jetty
Product
eclipse jetty
69 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-2332
>= 9.4.0 and < 9.4.60
In Eclipse Jetty, the HTTP/1.1 parser is vulnerable to request smuggling when chunk extensions are used, similar to the "funky chu
7.4
HIGH
CVE-2026-5795
>= 9.4.0 and <= 9.4.58
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon ret
7.4
HIGH
CVE-2026-1605
>= 12.0.0 and < 12.0.32
In Eclipse Jetty, versions 12.0.0-12.0.31 and 12.1.0-12.0.5, class GzipHandler exposes a vulnerability when a compressed HTTP requ
7.5
HIGH
CVE-2025-11143
>= 9.4.0 and <= 9.4.58
The Jetty URI parser has some key differences to other common parsers when evaluating invalid or unusual URIs. Differential parsi
3.7
LOW
CVE-2025-5115
>= 9.3.0 and <= 9.4.57
In Eclipse Jetty, versions <=9.4.57, <=10.0.25, <=11.0.25, <=12.0.21, <=12.1.0.alpha2, an HTTP/2 client may trigger the server to
7.5
HIGH
CVE-2025-1948
>= 12.0.0 and < 12.0.17
In Eclipse Jetty versions 12.0.0 to 12.0.16 included, an HTTP/2 client can specify a very large value for the HTTP/2 settings para
7.5
HIGH
CVE-2024-13009
>= 9.4.0 and < 9.4.57
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a
7.2
HIGH
CVE-2024-8184
>= 9.3.12 and < 9.4.56
There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to ca
5.9
MEDIUM
CVE-2024-6763
>= 7.0.0 and < 9.4.57
Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI,
3.7
LOW
CVE-2024-6762
>= 10.0.0 and < 10.0.18
Jetty PushSessionCacheFilter can be exploited by unauthenticated users to launch remote DoS attacks by exhausting the server’s
3.1
LOW
CVE-2024-9823
>= 9.0.0 and < 9.4.54
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-
5.3
MEDIUM
CVE-2024-22201
>= 9.3.0 and < 9.4.54
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked
7.5
HIGH
CVE-2023-36478
>= 9.3.0 and < 9.4.53
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 t
7.5
HIGH
CVE-2023-44487
< 9.4.53
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams q
7.5
HIGH
CVE-2023-41900
>= 9.4.21 and < 9.4.52
Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15 are vulnerable to weak a
3.5
LOW
CVE-2023-40167
>= 9.0.0 and < 9.4.52
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the
+
5.3
MEDIUM
CVE-2023-36479
>= 9.0.0 and < 9.4.52
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific
3.5
LOW
CVE-2023-26049
< 9.4.51
Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies
2.4
LOW
CVE-2023-26048
< 9.4.51
Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with `@M
5.3
MEDIUM
CVE-2022-2191
>= 10.0.0 and <= 10.0.9
In Eclipse Jetty versions 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, SslConnection does not release ByteBuffers from con
7.5
HIGH
CVE-2022-2048
< 9.4.47
In Eclipse Jetty HTTP/2 server implementation, when encountering an invalid HTTP/2 request, the error handling has a bug that can
7.5
HIGH
CVE-2022-2047
< 9.4.46
In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority
2.7
LOW
CVE-2021-34429
>= 9.4.37 and < 9.4.43
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to acce
5.3
MEDIUM
CVE-2021-34428
<= 9.4.40
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed()
2.9
LOW
CVE-2021-28169
< 9.4.41
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded
5.3
MEDIUM
CVE-2021-28165
>= 7.2.2 and < 9.4.39
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a
7.5
HIGH
CVE-2021-28164
all versions
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %
5.3
MEDIUM
CVE-2021-28163
>= 9.4.32 and < 9.4.39
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is
2.7
LOW
CVE-2020-27223
>= 9.4.7 and < 9.4.36
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multi
5.2
MEDIUM
CVE-2020-27218
>= 9.4.0 and < 9.4.35
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP
4.8
MEDIUM
CVE-2020-27216
>= 1.0 and < 9.3.29
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Uni
7.0
HIGH
CVE-2019-17638
all versions
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception
9.4
CRITICAL
CVE-2019-17632
all versions
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error resp
6.1
MEDIUM
CVE-2009-5046
< 6.1.22
JSP Dump and Session Dump Servlet XSS in jetty before 6.1.22.
6.1
MEDIUM
CVE-2009-5045
< 6.1.22
Dump Servlet information leak in jetty before 6.1.22.
7.5
HIGH
CVE-2009-5049
<= 6.1.21
WebApp JSP Snoop page XSS in jetty though 6.1.21.
6.1
MEDIUM
CVE-2009-5048
<= 6.1.20
Cookie Dump Servlet stored XSS vulnerability in jetty though 6.1.20.
6.1
MEDIUM
CVE-2019-10247
all versions
In Eclipse Jetty version 7.x, 8.x, 9.2.27 and older, 9.3.26 and older, and 9.4.16 and older, the server running on any OS and Jett
5.3
MEDIUM
CVE-2019-10246
all versions
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualifie
5.3
MEDIUM
CVE-2019-10241
all versions
In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a
6.1
MEDIUM
CVE-2018-12545
all versions
In Eclipse Jetty version 9.3.x and 9.4.x, the server is vulnerable to Denial of Service conditions if a remote client sends either
7.5
HIGH
CVE-2018-12536
>= 9.0.0 and <= 9.2.26
In Eclipse Jetty Server, all 9.x versions, on webapps deployed using default Error Handling, when an intentionally bad query arriv
5.3
MEDIUM
CVE-2017-7658
<= 9.2.26
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations
9.8
CRITICAL
CVE-2017-7657
<= 9.2.26
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 complian
9.8
CRITICAL
CVE-2017-7656
<= 9.2.26
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 complian
7.5
HIGH
CVE-2018-12538
>= 9.4.0 and <= 9.4.8
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage
8.8
HIGH
CVE-2017-9735
< 9.2.22
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obt
7.5
HIGH
CVE-2016-4800
all versions
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to b
9.8
CRITICAL
CVE-2015-2080
all versions
The exception handling code in Eclipse Jetty before 9.2.9.v20150224 allows remote attackers to obtain sensitive information from p
7.5
HIGH
CVE-2011-4461
<= 8.1.0
Jetty 8.1.0.RC2 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions pr
5.3
MEDIUM
CVE-2009-4612
all versions
Multiple cross-site scripting (XSS) vulnerabilities in the WebApp JSP Snoop page in Mort Bay Jetty 6.1.x through 6.1.21 allow remo
CVE-2009-4611
all versions
Mort Bay Jetty 6.x through 6.1.22 and 7.0.0 writes backtrace data without sanitizing non-printable characters, which might allow r
CVE-2009-4610
all versions
Multiple cross-site scripting (XSS) vulnerabilities in Mort Bay Jetty 6.x and 7.0.0 allow remote attackers to inject arbitrary web
CVE-2009-4609
all versions
The Dump Servlet in Mort Bay Jetty 6.x and 7.0.0 allows remote attackers to obtain sensitive information about internal variables
CVE-2009-3579
all versions
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remo
CVE-2009-1524
<= 6.1.16
Cross-site scripting (XSS) vulnerability in Mort Bay Jetty before 6.1.17 allows remote attackers to inject arbitrary web script or
CVE-2009-1523
<= 6.1.16
Directory traversal vulnerability in the HTTP server in Mort Bay Jetty 5.1.14, 6.x before 6.1.17, and 7.x through 7.0.0.M2 allows
CVE-2007-6672
all versions
Mortbay Jetty 6.1.5 and 6.1.6 allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/
CVE-2007-5615
<= 6.1.6rc0
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct
CVE-2007-5614
all versions
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote at
CVE-2007-5613
all versions
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitr
CVE-2006-6969
all versions
Jetty before 4.2.27, 5.1 before 5.1.12, 6.0 before 6.0.2, and 6.1 before 6.1.0pre3 generates predictable session identifiers using
CVE-2006-2759
all versions
jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, an
CVE-2006-2758
all versions
Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (
CVE-2005-3747
<= 5.1.5
Unspecified vulnerability in Jetty before 5.1.6 allows remote attackers to obtain source code of JSP pages, possibly involving req
CVE-2004-2478
all versions
Unspecified vulnerability in Jetty HTTP Server, as used in (1) IBM Trading Partner Interchange before 4.2.4, (2) CA Unicenter Web
CVE-2004-2381
all versions
HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and applicati
CVE-2002-1533
all versions
Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script vi
CVE-2002-1178
<= 4.1.0
Directory traversal vulnerability in the CGIServlet for Jetty HTTP server before 4.1.0 allows remote attackers to execute arbitrar
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin