You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Patched : 9.4.57 (EOL) - available on Maven Central |
Weakness : CWE-404 - Improper Resource Shutdown or Release |
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
GzipHandler causes part of request body to be seen as request body of a separate request
In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests.
See: GHSA-q4rv-gq96-w7c5 for details.
Credits to: @maimaisie (reporter), and their team: @samjsong, @lei-sumo, and @nchudasmasumo
We encourage users of the EOL version of Jetty to upgrade to a supported version of Jetty as soon as possible, which as of today is Jetty 12.
If you are using
javax.servletfor your webapp, you can continue to usejavax.servletby using theee8environment on Jetty 12.Beta Was this translation helpful? Give feedback.
All reactions