Contact the core Jetty developers at www.webtide.com
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
DOCUMENTATION: Jetty 6 - this wiki. Jetty 7 - at Eclipse. Jetty8 - at Eclipse. Jetty 9 - at Eclipse.
Skip to end of metadata
Go to start of metadata
You are viewing an old version of this page. View the current version. Compare with Current ·  View Page History
<< Previous Version 9 Next >>

Jetty Security Reports

Resolved Issues

Date

ID

Severity

Fixed Version

Comment

5/11/2007

CERT VU#38616

medium

6.1.6rc1

Singled quote in cookie name

5/11/2007

CERT VU#237888

low

6.1.6rc1

XSS in demo dump servlet

3/10/2007

CVE-2007-5615

medium

6.1.6rc0

CRLF Response splitting

22/11/2006

CVE-2006-6969

high

6.1.0pre3, 6.0.2, 5.1.12, 4.2.27

Session ID predictability

1/6/2006

CVE-2006-2759

medium

6.0.0Beta17

JSP source visibility

5/1/2006

 

medium

5.1.10

Fixed // security constraint bypass on windows

18/11/2005

CVE-2006-2758

medium

5.1.6, 6.0.0Beta4

JSP source visibility

4/2/2004

JSSE 1.0.3_01

medium

4.2.7

Upgraded JSSE to obtain downstream security fix

22/9/2002

 

high

4.1.0

Fixed CGI servlet remove exploit

12/3/2002

 

medium

4.0.RC2, 3.1.7

Fixed // security constraint bypass

21/10/2001

 

medium

3.1.3

Fixed trailing null security constraint bypass

Known Jetty 6 Issues

none

Known Jetty 5 Issues

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613">CVE-2007-5613</a>/<a href="http://www.kb.cert.org/vuls/id/212984">CERT212984</a> - The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5
should not be deployed on production sites.

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614">CVE-2007-5614</a>/<a href="http://www.kb.cert.org/vuls/id/438616">CERT438616</a> - HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis
of a cookie name in an application served by Jetty 5.

<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615">CVE-2007-5615</a>/<a href="http://www.kb.cert.org/vuls/id/237888">CERT237888</a> - The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated
user data should not be used for either a HTTP header name or a HTTP header value.

Labels
  • None
Contact the core Jetty developers at www.webtide.com
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery