Eclipse Jetty 9.4.28 20200408

Submit a proposal Propose CVE/GCVE/GHSA reference

Approved changes feed: RSS · Atom

cpe:2.3:a:eclipse:jetty:9.4.28:20200408:*:*:*:*:*:*

part: a version: 9.4.28 update: 20200408

VendorEclipse (fa988180-604e-5c1f-93ea-65b5297000fc)
ProductJetty (218f4e28-2142-514f-b269-fe7d12f8e0be)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from NVD CPE 2.0 feed

PURL mappings

PURLSourceLast updated
pkg:eclipse/jetty purl2cpe 2026-06-01 10:15:03.524508
pkg:github/eclipse/jetty.project purl2cpe 2026-06-01 10:15:03.524509

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2019-17638 vulnerable 2026-06-03 14:39:56.699994 Details available
In Eclipse Jetty, versions 9.4.27.v20200227 to 9.4.29.v20200521, in case of too large response headers, Jetty throws an exception to produce an HTTP 431 error. When this happens, the ByteBuffer containing the HTTP response headers is released back to the ByteBufferPool twice. Because of this double release, two threads can acquire the same ByteBuffer from the pool and while thread1 is about to use the ByteBuffer to write response1 data, thread2 fills the ByteBuffer with other data. Thread1 then proceeds to write the buffer that now contains different data. This results in client1, which issued request1 seeing data from another request or response which could contain sensitive data belonging to client2 (HTTP session ids, authentication credentials, etc.). If the Jetty version cannot be upgraded, the vulnerability can be significantly reduced by configuring a responseHeaderSize significantly larger than the requestHeaderSize (12KB responseHeaderSize and 8KB requestHeaderSize).
Published: 2020-07-09T18:10:12.000Z
Updated: 2024-08-05T01:47:13.630Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.