Total
27 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-28165 | 4 Eclipse, Jenkins, Netapp and 1 more | 21 Jetty, Jenkins, Cloud Manager and 18 more | 2025-08-27 | 7.8 HIGH | 7.5 HIGH |
|
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
|
|||||
| CVE-2020-14798 | 4 Debian, Netapp, Opensuse and 1 more | 18 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 15 more | 2025-05-27 | 2.6 LOW | 3.1 LOW |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthori ...
Show More |
|||||
| CVE-2020-14796 | 4 Debian, Netapp, Opensuse and 1 more | 18 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 15 more | 2025-05-27 | 2.6 LOW | 3.1 LOW |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthori ...
Show More |
|||||
| CVE-2020-14779 | 5 Debian, Fedoraproject, Netapp and 2 more | 19 Debian Linux, Fedora, 7-mode Transition Tool and 16 more | 2025-05-27 | 4.3 MEDIUM | 3.7 LOW |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java ...
Show More |
|||||
| CVE-2020-14781 | 4 Debian, Netapp, Opensuse and 1 more | 17 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 14 more | 2025-05-27 | 4.3 MEDIUM | 3.7 LOW |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies t ...
Show More |
|||||
| CVE-2020-14797 | 4 Debian, Netapp, Opensuse and 1 more | 18 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 15 more | 2025-05-27 | 4.3 MEDIUM | 3.7 LOW |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible ...
Show More |
|||||
| CVE-2020-14792 | 5 Debian, Mcafee, Netapp and 2 more | 19 Debian Linux, Epolicy Orchestrator, 7-mode Transition Tool and 16 more | 2025-05-27 | 5.8 MEDIUM | 4.2 MEDIUM |
|
Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorize ...
Show More |
|||||
| CVE-2020-14803 | 4 Debian, Netapp, Opensuse and 1 more | 19 Debian Linux, 7-mode Transition Tool, Active Iq Unified Manager and 16 more | 2025-05-27 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Sta ...
Show More |
|||||
| CVE-2018-2826 | 3 Canonical, Netapp, Oracle | 18 Ubuntu Linux, Cloud Backup, Clustered Data Ontap and 15 more | 2025-05-06 | 5.1 MEDIUM | 8.3 HIGH |
|
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can res ...
Show More |
|||||
| CVE-2018-2825 | 3 Canonical, Netapp, Oracle | 18 Ubuntu Linux, Cloud Backup, Clustered Data Ontap and 15 more | 2025-05-06 | 5.1 MEDIUM | 8.3 HIGH |
|
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Libraries). The supported version that is affected is Java SE: 10. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can res ...
Show More |
|||||
| CVE-2018-2627 | 3 Netapp, Oracle, Redhat | 20 Active Iq Unified Manager, Cloud Backup, E-series Santricity Management Plug-ins and 17 more | 2025-05-06 | 3.7 LOW | 7.5 HIGH |
|
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Installer). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Java SE executes to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of th ...
Show More |
|||||
| CVE-2021-34428 | 4 Debian, Eclipse, Netapp and 1 more | 16 Debian Linux, Jetty, Active Iq Unified Manager and 13 more | 2024-11-21 | 3.6 LOW | 2.9 LOW |
|
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
|
|||||
| CVE-2021-28164 | 3 Eclipse, Netapp, Oracle | 17 Jetty, Cloud Manager, E-series Performance Analyzer and 14 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Eclipse Jetty 9.4.37.v20210219 to 9.4.38.v20210224, the default compliance mode allows requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. For example a request to /context/%2e/WEB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
|
|||||
| CVE-2021-28163 | 5 Apache, Eclipse, Fedoraproject and 2 more | 23 Ignite, Solr, Jetty and 20 more | 2024-11-21 | 4.0 MEDIUM | 2.7 LOW |
|
In Eclipse Jetty 9.4.32 to 9.4.38, 10.0.0.beta2 to 10.0.1, and 11.0.0.beta2 to 11.0.1, if a user uses a webapps directory that is a symlink, the contents of the webapps directory is deployed as a static webapp, inadvertently serving the webapps themselves and anything else that might be in that directory.
|
|||||
| CVE-2018-2638 | 3 Netapp, Oracle, Redhat | 24 Active Iq Unified Manager, Cloud Backup, E-series Santricity Management Plug-ins and 21 more | 2024-11-21 | 5.1 MEDIUM | 8.3 HIGH |
|
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: Deployment). Supported versions that are affected are Java SE: 8u152 and 9.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerab ...
Show More |
|||||
| CVE-2018-2581 | 3 Netapp, Oracle, Redhat | 20 Active Iq Unified Manager, Cloud Backup, E-series Santricity Management Plug-ins and 17 more | 2024-11-21 | 4.3 MEDIUM | 4.7 MEDIUM |
|
Vulnerability in the Java SE component of Oracle Java SE (subcomponent: JavaFX). Supported versions that are affected are Java SE: 7u161, 8u152 and 9.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnera ...
Show More |
|||||
| CVE-2018-1303 | 4 Apache, Canonical, Debian and 1 more | 7 Http Server, Ubuntu Linux, Debian Linux and 4 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.
|
|||||
| CVE-2018-1302 | 3 Apache, Canonical, Netapp | 6 Http Server, Ubuntu Linux, Clustered Data Ontap and 3 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
When an HTTP/2 stream was destroyed after being handled, the Apache HTTP Server prior to version 2.4.30 could have written a NULL pointer potentially to an already freed memory. The memory pools maintained by the server make this vulnerability hard to trigger in usual configurations, the reporter and the team could not reproduce it outside debug builds, so it is classified as low risk.
|
|||||
| CVE-2018-1301 | 5 Apache, Canonical, Debian and 2 more | 8 Http Server, Ubuntu Linux, Debian Linux and 5 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
A specially crafted request could have crashed the Apache HTTP Server prior to version 2.4.30, due to an out of bound access after a size limit is reached by reading the HTTP header. This vulnerability is considered very hard if not impossible to trigger in non-debug mode (both log and build level), so it is classified as low risk for common server usage.
|
|||||
| CVE-2018-1283 | 5 Apache, Canonical, Debian and 2 more | 8 Http Server, Ubuntu Linux, Debian Linux and 5 more | 2024-11-21 | 3.5 LOW | 5.3 MEDIUM |
|
In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a "Session" header. This comes from the "HTTP_SESSION" variable name used by mod_session to forward its data to CGIs, since the prefix "HTTP_" is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications.
|
|||||
| CVE-2018-17199 | 5 Apache, Canonical, Debian and 2 more | 6 Http Server, Ubuntu Linux, Debian Linux and 3 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Apache HTTP Server 2.4 release 2.4.37 and prior, mod_session checks the session expiry time before decoding the session. This causes session expiry time to be ignored for mod_session_cookie sessions since the expiry time is loaded when the session is decoded.
|
|||||
| CVE-2018-17189 | 7 Apache, Canonical, Debian and 4 more | 13 Http Server, Ubuntu Linux, Debian Linux and 10 more | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
|
In Apache HTTP server versions 2.4.37 and prior, by sending request bodies in a slow loris way to plain resources, the h2 stream for that request unnecessarily occupied a server thread cleaning up that incoming data. This affects only HTTP/2 (mod_http2) connections.
|
|||||
| CVE-2018-12538 | 2 Eclipse, Netapp | 12 Jetty, E-series Santricity Management Plug-ins, E-series Santricity Os Controller and 9 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
In Eclipse Jetty versions 9.4.0 through 9.4.8, when using the optional Jetty provided FileSessionDataStore for persistent storage of HttpSession details, it is possible for a malicious user to access/hijack other HttpSessions and even delete unmatched HttpSessions present in the FileSystem's storage for the FileSessionDataStore.
|
|||||
| CVE-2017-7658 | 5 Debian, Eclipse, Hp and 2 more | 20 Debian Linux, Jetty, Xp P9000 and 17 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermed ...
Show More |
|||||
| CVE-2017-7657 | 5 Debian, Eclipse, Hp and 2 more | 18 Debian Linux, Jetty, Xp P9000 and 15 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allo ...
Show More |
|||||
| CVE-2017-15715 | 5 Apache, Canonical, Debian and 2 more | 8 Http Server, Ubuntu Linux, Debian Linux and 5 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename.
|
|||||
| CVE-2017-15710 | 5 Apache, Canonical, Debian and 2 more | 8 Http Server, Ubuntu Linux, Debian Linux and 5 more | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
In Apache httpd 2.0.23 to 2.0.65, 2.2.0 to 2.2.34, and 2.4.0 to 2.4.29, mod_authnz_ldap, if configured with AuthLDAPCharsetConfig, uses the Accept-Language header value to lookup the right charset encoding when verifying the user's credentials. If the header value is not present in the charset conversion table, a fallback mechanism is used to truncate it to a two characters value to allow a quick retry (for example, 'en-US' is truncated to 'en'). A header value of less than two characters forces ...
Show More |
|||||