Eclipse Jetty

Findings · 25

1. 1 Risk of integer overflow that could allow HpackDecoder to exceed maxHeaderSize Medium
2. 2 Cookie parser accepts unmatched quotation marks Informational
3. 3 Errant command quoting in CGI servlet High
4. 4 Symlink-allowed alias checker ignores protected targets list High
5. 5 Missing check for malformed Unicode escape sequences in QuotedStringTokenizer.unquote Low
6. 6 WebSocket frame length represented with 32-bit integer High
7. 7 WebSocket parser does not check for negative payload lengths Low
8. 8 WebSocket parser greedily allocates ByteBuers for large frames Medium
9. 9 Risk of integer overflow in HPACK's NBitInteger.decode Informational
10. 10 MetaDataBuilder.checkSize accepts headers of negative lengths Medium
11. 11 Insucient space allocated when encoding QPACK instructions and entries Low
12. 12 LiteralNameEntryInstruction incorrectly encodes value length Medium
13. 13 FileInitializer does not check for symlinks High
14. 14 FileInitializer permits downloading files via plaintext HTTP High
15. 15 NullPointerException thrown by FastCGI parser on invalid frame type Medium
16. 16 Documentation does not specify that request contents and other user data can be exposed in debug logs Medium
17. 17 HttpStreamOverFCGI internally marks all requests as plaintext HTTP High
18. 18 Excessively permissive and non-standards-compliant error handling in HTTP/2 implementation Low
19. 19 XML external entities and entity expansion in Maven package metadata parser High
20. 20 Use of deprecated AccessController class Informational
21. 21 QUIC server writes SSL private key to temporary plaintext file High
22. 22 Repeated code between HPACK and QPACK Informational
23. 23 Various exceptions in HpackDecoder.decode and QpackDecoder.decode Informational
24. 24 Incorrect QPACK encoding when multi-byte characters are used Medium
25. 25 No limits on maximum capacity in QPACK decoder High

Findings extracted from the published report PDF. See the full report below for details and remediation.