SB2026071348 - Multiple vulnerabilities in Jetty
Published: July 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Improper Handling of Alternate Encoding (CVE-ID: CVE-2026-10050)
CWE-ID: CWE-173 - Improper Handling of Alternate Encoding
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authentication.
The vulnerability exists due to improper handling of alternate encoding in DigestAuthentication.apply() when computing Digest authentication response hashes using ISO-8859-1 encoding. A remote attacker can use a password variant in which non-Latin-1 characters are replaced with '?' characters to bypass authentication.
Successful exploitation requires knowledge of the target username and a password containing characters outside the U+00FF range.
2) Information disclosure (CVE-ID: CVE-2026-10051)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to improper state management in HttpConnection._trailers when processing consecutive HTTP/1.1 keep-alive requests with trailers. A remote attacker can send a request with crafted trailers followed by another request on the same connection to disclose sensitive information.
The issue is limited to reuse of stale trailer data across requests on the same keep-alive connection and is not cross-connection.
Remediation
Install update from vendor's website.