MidnightBSD

Advisories for jetty

CVE-2002-1178 MEDIUM

Directory traversal vulnerability in the CGIServlet for Jetty HTTP server before 4.1.0 allows remote attackers to execute arbitrary commands via ..\ (dot-dot backslash) sequences in an HTTP request to the cgi-bin directory.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
jetty jetty_http_server *
CVE-2002-1533 MEDIUM

Cross-site scripting (XSS) vulnerability in Jetty JSP servlet engine allows remote attackers to insert arbitrary HTML or script via an HTTP request to a .jsp file whose name contains the malicious script and some encoded linefeed characters (%0a).

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
jetty jetty 4.1.0_rc4
CVE-2004-2381 MEDIUM

HttpRequest.java in Jetty HTTP Server before 4.2.19 allows remote attackers to cause denial of service (memory usage and application crash) via HTTP requests with a large Content-Length.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
jetty jetty_http_server 4.1.2
jetty jetty_http_server 4.0_rc1
jetty jetty_http_server 4.2.3
jetty jetty_http_server 4.2.12
jetty jetty_http_server 4.2.9
jetty jetty_http_server 4.2.10_pre1
jetty jetty_http_server 4.2.15
jetty jetty_http_server 4.1.d1
jetty jetty_http_server 4.0.d1
jetty jetty_http_server 4.1.3
jetty jetty_http_server 4.1.b0
jetty jetty_http_server 4.0.b0
jetty jetty_http_server 4.0.d3
jetty jetty_http_server 4.0.1_rc0
jetty jetty_http_server 4.2.17
jetty jetty_http_server 4.0.0
jetty jetty_http_server 4.1.0_rc5
jetty jetty_http_server 4.0.b1
jetty jetty_http_server 4.1.4
jetty jetty_http_server 4.0.1_rc2
jetty jetty_http_server 4.2.4_rc0
jetty jetty_http_server 4.2.11
jetty jetty_http_server 4.2.16
jetty jetty_http_server 4.1.d2
jetty jetty_http_server 4.0.6
jetty jetty_http_server 4.0.b2
jetty jetty_http_server 4.0_rc2
jetty jetty_http_server 4.2.2
jetty jetty_http_server 4.1.1
jetty jetty_http_server 4.2.0_rc0
jetty jetty_http_server 4.1.0_rc0
jetty jetty_http_server 4.2.8_01
jetty jetty_http_server 4.2.6
jetty jetty_http_server 4.0.2
jetty jetty_http_server 4.2.0_rc1
jetty jetty_http_server 4.2.5
jetty jetty_http_server 4.2.9_rc1
jetty jetty_http_server 4.2.1
jetty jetty_http_server 4.0.4
jetty jetty_http_server 4.2.0_beta0
jetty jetty_http_server 4.1.0_rc6
jetty jetty_http_server 4.0.1
jetty jetty_http_server 4.1.0_rc1
jetty jetty_http_server 4.2.7
jetty jetty_http_server 4.0.5
jetty jetty_http_server 4.2.10
jetty jetty_http_server 4.2.15_rc0
jetty jetty_http_server 4.2.10_pre0
jetty jetty_http_server 4.1.0
jetty jetty_http_server 4.2.9_rc2
jetty jetty_http_server 4.2.18
jetty jetty_http_server 4.0.1_rc1
jetty jetty_http_server 4.0.d0
jetty jetty_http_server 4.2.14
jetty jetty_http_server 4.1.0_rc3
jetty jetty_http_server 4.1.d0
jetty jetty_http_server 4.2.14_rc0
jetty jetty_http_server 4.0.d2
jetty jetty_http_server 4.0_rc3
jetty jetty_http_server 4.2.14_rc1
jetty jetty_http_server 4.2.0
jetty jetty_http_server 4.1.b1
jetty jetty_http_server 4.2.4
jetty jetty_http_server 4.0.d4
jetty jetty_http_server 4.1.0_rc2
jetty jetty_http_server 4.0.3
jetty jetty_http_server 4.1.0_rc4
CVE-2004-2478 HIGH

Unspecified vulnerability in Jetty HTTP Server, as used in (1) IBM Trading Partner Interchange before 4.2.4, (2) CA Unicenter Web Services Distributed Management (WSDM) before 3.11, and possibly other products, allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
jetty jetty_http_server 4.2.5
jetty jetty_http_server 4.2.11
jetty jetty_http_server 4.2.12
jetty jetty_http_server 4.2.16
jetty jetty_http_server 4.2.9
jetty jetty_http_server 4.2.15
jetty jetty_http_server 3.1.7
jetty jetty_http_server 4.2.4
jetty jetty_http_server 4.1.1
jetty jetty_http_server 4.2.7
ibm trading_partner_interchange *
ca unicenter_web_services_distributed_management *
jetty jetty_http_server 3.1.6
jetty jetty_http_server 4.2.17
jetty jetty_http_server 4.1.0
jetty jetty_http_server 4.2.18
ibm trading_partner_interchange 4.2.1
jetty jetty_http_server 4.2.19
jetty jetty_http_server 4.1.0_rc4
jetty jetty_http_server 4.2.6
jetty jetty_http_server 4.2.14
CVE-2006-2758 MEDIUM

Directory traversal vulnerability in jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary files via a %2e%2e%5c (encoded ../) in the URL. NOTE: this might be the same issue as CVE-2005-3747.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
jetty jetty 6.0
CVE-2006-2759 MEDIUM

jetty 6.0.x (jetty6) beta16 allows remote attackers to read arbitrary script source code via a capital P in the .jsp extension, and probably other mixed case manipulations.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
jetty jetty 6.0_beta_16