You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 12, 2021. It is now read-only.
Cache Poisoning
Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.eclipse.jetty:jetty-server@9.3.11.v20160721, org.eclipse.jetty:jetty-servlets@9.3.11.v20160721 and others
Detailed paths
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-servlets@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-servlets@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-rewrite@9.3.11.v20160721 › org.eclipse.jetty:jetty-client@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-rewrite@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-rewrite@9.3.11.v20160721 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-rewrite@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-servlet@9.3.11.v20160721 › org.eclipse.jetty:jetty-security@9.3.11.v20160721 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.3.24.v20180605.
Overview
org.eclipse.jetty:jetty-http is a is a http module for jetty server.
Affected versions of this package are vulnerable to Cache Poisoning. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version, the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Cache Poisoning
Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.eclipse.jetty:jetty-server@9.3.11.v20160721, org.eclipse.jetty:jetty-servlets@9.3.11.v20160721 and others
Detailed paths
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-servlets@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-servlets@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-rewrite@9.3.11.v20160721 › org.eclipse.jetty:jetty-client@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-rewrite@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-rewrite@9.3.11.v20160721 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-rewrite@9.3.24.v20180605.
Introduced through: apache/aurora@apache/aurora#ea8e2f4d905e26b3b999e8b59a3cb74a08a3dbf5 › org.eclipse.jetty:jetty-servlet@9.3.11.v20160721 › org.eclipse.jetty:jetty-security@9.3.11.v20160721 › org.eclipse.jetty:jetty-server@9.3.11.v20160721 › org.eclipse.jetty:jetty-http@9.3.11.v20160721
Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.3.24.v20180605.
Overview
org.eclipse.jetty:jetty-http is a is a http module for jetty server.
Affected versions of this package are vulnerable to Cache Poisoning. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version, the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.