Jetty
Jetty is a Java-based HTTP server and servlet container, widely embedded in frameworks including Apache Solr and Eclipse IDE. It originated as a Mortbay project before adoption by the Eclipse Foundation; NVD maintains CVE records under both the legacy mortbay:jetty and current eclipse:jetty namespaces. Attestd queries both and deduplicates on CVE ID.
Querying Jetty
jetty12.0.7, 11.0.15, 9.4.53curl "https://api.attestd.io/v1/check?product=jetty&version=11.0.13" \
-H "Authorization: Bearer $ATTESTD_KEY"Jetty 11.0.13 is affected by CVE-2023-36479 (incorrect servlet dispatch via CgiServlet). The aggregated response expects risk_state: "elevated".
{
"product": "jetty",
"version": "11.0.13",
"supported": true,
"risk_state": "elevated",
"risk_factors": [
"server_side_request_forgery",
"patch_available",
"configuration_dependent_attack_vector"
],
"actively_exploited": false,
"remote_exploitable": true,
"authentication_required": false,
"patch_available": true,
"fixed_version": "11.0.15",
"confidence": 0.79,
"cve_ids": ["CVE-2023-36479"],
"last_updated": "2026-02-23T18:21:30Z"
}Jetty 12.0.7 has no known relevant vulnerabilities at the time of the last synthesis run.
curl "https://api.attestd.io/v1/check?product=jetty&version=12.0.7" \
-H "Authorization: Bearer $ATTESTD_KEY"CVE history
Jetty's CVE history covers three subsystems: the servlet dispatch logic (SSRF via CgiServlet), multipart form parsing (denial of service), and session management (timing attacks in older releases). Denial-of-service vulnerabilities via request parsing are the most consistent pattern.
| CVE | Description | Affects | CVSS |
|---|---|---|---|
CVE-2023-36479 | Incorrect request dispatch in CgiServlet with lenient PATH_INFO encoding causes server-side request forgery to unintended servlet context. | 9.4–11.0 | 4.3 |
CVE-2023-26048 | OutOfMemoryError in multipart form-data parsing when content-disposition headers omit filename; allows remote denial of service. | 9.4–11.0 | 5.3 |
CVE-2023-26049 | Non-compliant handling of quoted cookie attribute values exposes adjacent cookie values to the application. | 9.4–11.0 | 5.3 |
CVE-2021-28165 | High CPU usage when processing large TLS frames with client authentication enabled; allows remote denial of service. | 9.4–11 | 7.5 |
CVE-2021-28169 | ReDoS via crafted URI path in ConcatServlet. | 9.4–11 | 5.3 |
CVE-2017-9735 | Timing channel in HashSessionIdManager session ID generation allows session prediction. | < 9.3.19, < 9.4.7 | 7.5 |
Dual CPE namespace handling
Jetty originated as a Mortbay project before moving to the Eclipse Foundation. NVD records historical CVEs from the pre-Eclipse era under the mortbay:jetty namespace and current CVEs under eclipse:jetty. Attestd queries both and merges results on CVE ID to ensure complete coverage across both namespaces.
cpe:2.3:a:eclipse:jettyEclipse Foundation era (current)cpe:2.3:a:mortbay:jettyPre-Eclipse era (historical)