Jetty has moved!
Jetty is a project at the Eclipse Foundation.
Homepage:http://www.eclipse.org/jetty
Downloads: http://download.eclipse.org/jetty/
Documentation:http://www.eclipse.org/jetty/documentation/current/
About:http://www.eclipse.org/jetty/about.php
Jetty Powered:http://www.eclipse.org/jetty/powered/
Contact the core Jetty developers at www.webtide.com
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 13 Next »

Jetty Security Reports

Resolved Issues

Date

ID

Severity

Fixed Version

Comment

22/12/2007

JETTY-386

High

6.1.7

Static content visible in WEB-INF and past security constraints

5/11/2007

CVE-2007-5614/CERT438616

low

6.1.6rc1

Singled quote in cookie name

5/11/2007

CVE-2007-5613/CERT237888

low

6.1.6rc1

XSS in demo dump servlet

3/10/2007

CVE-2007-5615/CERT21284

medium

6.1.6rc0

CRLF Response splitting

22/11/2006

CVE-2006-6969

high

6.1.0pre3, 6.0.2, 5.1.12, 4.2.27

Session ID predictability

1/6/2006

CVE-2006-2759

medium

6.0.0Beta17

JSP source visibility

5/1/2006

 

medium

5.1.10

Fixed // security constraint bypass on windows

18/11/2005

CVE-2006-2758

medium

5.1.6, 6.0.0Beta4

JSP source visibility

4/2/2004

JSSE 1.0.3_01

medium

4.2.7

Upgraded JSSE to obtain downstream security fix

22/9/2002

 

high

4.1.0

Fixed CGI servlet remove exploit

12/3/2002

 

medium

4.0.RC2, 3.1.7

Fixed // security constraint bypass

21/10/2001

 

medium

3.1.3

Fixed trailing null security constraint bypass

Known Jetty 6 Issues

none

Known Jetty 5 Issues

CVE-2007-5613/CERT237888 - The demonstration Dump servlet is vulnerable to cross site scripting. The Dump servlet from jetty 5 should not be deployed on production sites.

CVE-2007-5614/CERT438616 - HTTP Cookie names are not checked for illegal characters. Unvalidated user data should not be used as the basis of a cookie name in an application served by Jetty 5.

CVE-2007-5615/CERT21284 - The HTTP header names and values set by an application are not checked for illegal characters. Unvalidated user data should not be used for either a HTTP header name or a HTTP header value.

  • No labels
Contact the core Jetty developers at www.webtide.com
private support for your internal/customer projects ... custom extensions and distributions ... versioned snapshots for indefinite support ... scalability guidance for your apps and Ajax/Comet projects ... development services from 1 day to full product delivery