SB2026071348 - Multiple vulnerabilities in Jetty



SB2026071348 - Multiple vulnerabilities in Jetty

Published: July 13, 2026

Security Bulletin ID SB2026071348
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Improper Handling of Alternate Encoding (CVE-ID: CVE-2026-10050)

CWE-ID: CWE-173 - Improper Handling of Alternate Encoding

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to improper handling of alternate encoding in DigestAuthentication.apply() when computing Digest authentication response hashes using ISO-8859-1 encoding. A remote attacker can use a password variant in which non-Latin-1 characters are replaced with '?' characters to bypass authentication.

Successful exploitation requires knowledge of the target username and a password containing characters outside the U+00FF range.


2) Information disclosure (CVE-ID: CVE-2026-10051)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper state management in HttpConnection._trailers when processing consecutive HTTP/1.1 keep-alive requests with trailers. A remote attacker can send a request with crafted trailers followed by another request on the same connection to disclose sensitive information.

The issue is limited to reuse of stale trailer data across requests on the same keep-alive connection and is not cross-connection.


Remediation

Install update from vendor's website.