jetty-documentation/src/main/asciidoc/reference/troubleshooting/security-reports.adoc - jetty - Git at Google

 //  ========================================================================
 //  Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
 //  ========================================================================
 //  All rights reserved. This program and the accompanying materials
 //  are made available under the terms of the Eclipse Public License v1.0
 //  and Apache License v2.0 which accompanies this distribution.
 //
 //      The Eclipse Public License is available at
 //      http://www.eclipse.org/legal/epl-v10.html
 //
 //      The Apache License v2.0 is available at
 //      http://www.opensource.org/licenses/apache2.0.php
 //
 //  You may elect to redistribute this code under either of these licenses.
 //  ========================================================================

 [[security-reports]]
 === Jetty Security Reports

 The following sections provide information about Jetty security issues.

 If you would like to report a security issue please follow these link:#security-reporting[instructions].

 .Resolved Issues
 [width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",]
 |=======================================================================
 |yyyy/mm/dd |ID |Exploitable |Severity |Affects |Fixed Version |Comment
 |2016/05/31 |CVE-2016-4800 |high |high |>= 9.3.0, < = 9.3.8 |9.3.9
 |http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.]

 |2015/02/24 |CVE-2015-2080 |high |high |>=9.2.3 <9.2.9 |9.2.9
 |http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[JetLeak exposure of past buffers during HttpParser error]

 |2013/11/27 |http://en.securitylab.ru/lab/PT-2013-65[PT-2013-65] |medium
 |high |>=9.0.0 <9.0.5 |9.0.6
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] |Alias checking disabled by NTFS errors on Windows.

 |2013/07/24
 |https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] |low
 |medium |>=7.6.9 <9.0.5 |7.6.13,8.1.13,9.0.5
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684]
 |Constraints bypassed if Unix symlink alias checker used on Windows.

 |2011/12/29
 |http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461]
 |high |medium |All versions |7.6.0.RCO
 https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638[Jetty-367638]
 |Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).

 |2009/11/05
 |http://www.kb.cert.org/vuls/id/120541[CERT2011-003] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555[CERT2011-003]
 |medium |high |JVM<1.6u19 |jetty-7.01.v20091125, jetty-6.1.22 |Work
 around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19
 setAllowRenegotiate(true) may be called on connectors.

 |2009/06/18 |http://jira.codehaus.org/browse/JETTY-1042[Jetty-1042] |low
 |high |< = 6.1.18, < = 7.0.0.M4 |6.1.19, 7.0.0.Rc0 |Cookie leak between
 requests sharing a connection.

 |2009/04/30 |http://www.kb.cert.org/vuls/id/402580[CERT402580] |medium
 |high |< = 6.1.16, < = 7.0.0.M2 a|
 5.1.15, 6.1.18, 7.0.0.M2

 http://jira.codehaus.org/browse/JETTY-1004[Jetty-1004]

  |View arbitrary disk content in some specific configurations.

 |2007/12/22
 |http://www.kb.cert.org/vuls/id/553235[CERT553235] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672[CVE-2007-6672]
 |high |medium |6.1.rrc0-6.1.6 a|
 6.1.7

 http://jira.codehaus.org/browse/JETTY-386[CERT553235]

  |Static content visible in WEB-INF and past security constraints.

 |2007/11/05
 |http://www.kb.cert.org/vuls/id/438616[CERT438616] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614[CVE-2007-5614]
 |low |low |<6.1.6 |6.1.6rc1 (patch in CVS for jetty5) |Single quote in
 cookie name.

 |2007/11/05
 |http://www.kb.cert.org/vuls/id/237888[CERT237888>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613[CVE-2007-5613]
 |low |low |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |XSS in demo dup
 servlet.

 |2007/11/03 |http://www.kb.cert.org/vuls/id/212984[CERT212984
 >] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615[CVE-2007-5615]
 |medium |medium |<6.1.6 |6.1.6rc0 (patch in CVS for jetty5) |CRLF
 Response splitting.

 |2006/11/22
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969[CVE-2006-6969]
 |low |high |<6.1.0, <6.0.2, <5.1.12, <4.2.27 |6.1.0pre3, 6.0.2, 5.1.12,
 4.2.27 |Session ID predictability.

 |2006/06/01
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759[CVE-2006-2759]
 |medium |medium |<6.0.*, <6.0.0Beta17 |6.0.0Beta17 |JSP source
 visibility.

 |2006/01/05 | |medium |medium |<5.1.10 |5.1.10 |Fixed //security
 constraint bypass on Windows.

 |2005/11/18
 |http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758[CVE-2006-2758]
 |medium |medium |<5.1.6 |5.1.6, 6.0.0Beta4 |JSP source visibility.

 |2004/02/04 |JSSE 1.0.3_01 |medium |medium |<4.2.7 |4.2.7 |Upgraded JSSE
 to obtain downstream security fix.

 |2002/09/22 | |high |high |<4.1.0 |4.1.0 |Fixed CGI servlet remove
 exploit.

 |2002/03/12 | |medium | |<3.1.7 |4.0.RC2, 3.1.7 |Fixed // security
 constraint bypass.

 |2001/10/21 |medium | |high |<3.1.3 |3.1.3 |Fixed trailing null security
 constraint bypass.
 |=======================================================================
	// ========================================================================
	// Copyright (c) 1995-2017 Mort Bay Consulting Pty. Ltd.
	// ========================================================================
	// All rights reserved. This program and the accompanying materials
	// are made available under the terms of the Eclipse Public License v1.0
	// and Apache License v2.0 which accompanies this distribution.
	//
	// The Eclipse Public License is available at
	// http://www.eclipse.org/legal/epl-v10.html
	//
	// The Apache License v2.0 is available at
	// http://www.opensource.org/licenses/apache2.0.php
	//
	// You may elect to redistribute this code under either of these licenses.
	// ========================================================================

	[[security-reports]]
	=== Jetty Security Reports

	The following sections provide information about Jetty security issues.

	If you would like to report a security issue please follow these link:#security-reporting[instructions].

	.Resolved Issues
	[width="99%",cols="11%,19%,14%,9%,14%,14%,19%",options="header",]
	\|=======================================================================
	\|yyyy/mm/dd \|ID \|Exploitable \|Severity \|Affects \|Fixed Version \|Comment
	\|2016/05/31 \|CVE-2016-4800 \|high \|high \|>= 9.3.0, < = 9.3.8 \|9.3.9
	\|http://www.ocert.org/advisories/ocert-2016-001.html[Alias vulnerability allowing access to protected resources within a webapp on Windows.]

	\|2015/02/24 \|CVE-2015-2080 \|high \|high \|>=9.2.3 <9.2.9 \|9.2.9
	\|http://blog.gdssecurity.com/labs/2015/2/25/jetleak-vulnerability-remote-leakage-of-shared-buffers-in-je.html[JetLeak exposure of past buffers during HttpParser error]

	\|2013/11/27 \|http://en.securitylab.ru/lab/PT-2013-65[PT-2013-65] \|medium
	\|high \|>=9.0.0 <9.0.5 \|9.0.6
	https://bugs.eclipse.org/bugs/show_bug.cgi?id=418014[418014] \|Alias checking disabled by NTFS errors on Windows.

	\|2013/07/24
	\|https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684] \|low
	\|medium \|>=7.6.9 <9.0.5 \|7.6.13,8.1.13,9.0.5
	https://bugs.eclipse.org/bugs/show_bug.cgi?id=413684[413684]
	\|Constraints bypassed if Unix symlink alias checker used on Windows.

	\|2011/12/29
	\|http://www.ocert.org/advisories/ocert-2011-003.html[CERT2011-003] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4461[CVE-2011-4461]
	\|high \|medium \|All versions \|7.6.0.RCO
	https://bugs.eclipse.org/bugs/show_bug.cgi?id=367638[Jetty-367638]
	\|Added ContextHandler.setMaxFormKeys (intkeys) to limit the number of parameters (default 1000).

	\|2009/11/05
	\|http://www.kb.cert.org/vuls/id/120541[CERT2011-003] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555[CERT2011-003]
	\|medium \|high \|JVM<1.6u19 \|jetty-7.01.v20091125, jetty-6.1.22 \|Work
	around by turning off SSL renegotiation in Jetty. If using JVM > 1.6u19
	setAllowRenegotiate(true) may be called on connectors.

	\|2009/06/18 \|http://jira.codehaus.org/browse/JETTY-1042[Jetty-1042] \|low
	\|high \|< = 6.1.18, < = 7.0.0.M4 \|6.1.19, 7.0.0.Rc0 \|Cookie leak between
	requests sharing a connection.

	\|2009/04/30 \|http://www.kb.cert.org/vuls/id/402580[CERT402580] \|medium
	\|high \|< = 6.1.16, < = 7.0.0.M2 a\|
	5.1.15, 6.1.18, 7.0.0.M2

	http://jira.codehaus.org/browse/JETTY-1004[Jetty-1004]

	\|View arbitrary disk content in some specific configurations.

	\|2007/12/22
	\|http://www.kb.cert.org/vuls/id/553235[CERT553235] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6672[CVE-2007-6672]
	\|high \|medium \|6.1.rrc0-6.1.6 a\|
	6.1.7

	http://jira.codehaus.org/browse/JETTY-386[CERT553235]

	\|Static content visible in WEB-INF and past security constraints.

	\|2007/11/05
	\|http://www.kb.cert.org/vuls/id/438616[CERT438616] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5614[CVE-2007-5614]
	\|low \|low \|<6.1.6 \|6.1.6rc1 (patch in CVS for jetty5) \|Single quote in
	cookie name.

	\|2007/11/05
	\|http://www.kb.cert.org/vuls/id/237888[CERT237888>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5613[CVE-2007-5613]
	\|low \|low \|<6.1.6 \|6.1.6rc0 (patch in CVS for jetty5) \|XSS in demo dup
	servlet.

	\|2007/11/03 \|http://www.kb.cert.org/vuls/id/212984[CERT212984
	>] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5615[CVE-2007-5615]
	\|medium \|medium \|<6.1.6 \|6.1.6rc0 (patch in CVS for jetty5) \|CRLF
	Response splitting.

	\|2006/11/22
	\|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6969[CVE-2006-6969]
	\|low \|high \|<6.1.0, <6.0.2, <5.1.12, <4.2.27 \|6.1.0pre3, 6.0.2, 5.1.12,
	4.2.27 \|Session ID predictability.

	\|2006/06/01
	\|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2759[CVE-2006-2759]
	\|medium \|medium \|<6.0.*, <6.0.0Beta17 \|6.0.0Beta17 \|JSP source
	visibility.

	\|2006/01/05 \| \|medium \|medium \|<5.1.10 \|5.1.10 \|Fixed //security
	constraint bypass on Windows.

	\|2005/11/18
	\|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2758[CVE-2006-2758]
	\|medium \|medium \|<5.1.6 \|5.1.6, 6.0.0Beta4 \|JSP source visibility.

	\|2004/02/04 \|JSSE 1.0.3_01 \|medium \|medium \|<4.2.7 \|4.2.7 \|Upgraded JSSE
	to obtain downstream security fix.

	\|2002/09/22 \| \|high \|high \|<4.1.0 \|4.1.0 \|Fixed CGI servlet remove
	exploit.

	\|2002/03/12 \| \|medium \| \|<3.1.7 \|4.0.RC2, 3.1.7 \|Fixed // security
	constraint bypass.

	\|2001/10/21 \|medium \| \|high \|<3.1.3 \|3.1.3 \|Fixed trailing null security
	constraint bypass.
	\|=======================================================================